Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

7/13/2006
07:50 AM
50%
50%

Duke Revamps Access

Duke Medical Center looks to lock down patient data and ease the strain on IT staff

Duke University Medical Center is currently overhauling its security and storage operations in an attempt to lock down its critical data and meet its regulatory commitments.

Rafael Rodriguez, the Medical Center's associate CIO, says the organization is looking to ease the strain on its helpdesk by deploying Tivoli's Identity Manager software to handle passwords across a slew of complex medical systems.

"About 40 percent of the calls to our helpdesk are for password resets," he explains. With Identity Manager, end users can reset the passwords themselves, and these can then be synchronized across medical systems, laptops, and workstations.

With around 1,500 faculty physicians and over 800 staff members, setting and resetting passwords has traditionally been something of a logistical nightmare for Rodriguez and his staff. "Some end users had as many as 20 different applications, so you can imagine this was quite a high pain point," he explains.

After choosing Tivoli earlier this year, the Center is now deploying the software, and Rodriguez expects to have the password system in production mode in the fourth quarter. Initially, he says, the organization will roll out Identity Manager across six key applications, followed by another six by the middle of 2008.

"Our primary focus is clinical applications," he explains, adding that a patient information application and the hospital's system for ordering medications will be amongst the first to get the new password protection. "We also plan to manage the passwords for our email systems."

The applications are hosted on two IBM pSeries mainframes running the AIX operating system. These, in turn, are linked to the university's 170-Tbyte SAN, which is built from Cisco MDS Directors and hardware from HP, IBM, and Sun.

Rodriguez explains that the password lockdown will be particularly useful during the summer when the Center gets an influx of doctors. "This month, we have the new class of residents coming in," he says. "This will make the process of setting up passwords and setting up accounts on the different systems automatic."

Duke is also looking to boost its internal security. For example, if a doctor or nurse forgets to sign off from a computer linked to the patient records system, the software monitors the device and ends the session, requiring the next user to sign on again.

Although he would not reveal specifics, Rodriguez says that the Center spent "several thousands of dollars" on the Tivoli product, although he is looking for a speedy ROI. "I expect that we would get a return on this investment in the next couple of years."

In addition to Tivoli, Duke also looked at a product from BMC for handling its passwords, although Rodriguez says that the former won out thanks to its ability to support a range of different systems. "Tivoli made a commitment to do this work with us in the academic medical environment, which is complex," he says, adding that Identity Manager was also competitively priced.

The deployment, according to Rodriguez, is also helping the University meet its Health Insurance Portability and Accountability Act (HIPAA) commitments, which dictate who can access patients' medical records. (See Users Self-Destruct on Governance.) "Because all the passwords are synchronized, the end user can set up stronger passwords [so] they don't have to write them down," he explains. "[So] there's less risk that the passwords will be compromised."

Additionally, the Center is better positioned to meet the stringent audit requirements of HIPAA. "Identity Manager has its own audits of people who have changed passwords and audits of who is accessing the system," says Rodriguez.

But the exec admits that deploying this type of technology in a byzantine multi-system medical environment is easier said than done. "The challenge is that this is a complex environment because we have a lot of different applications working together."

At the same time it is deploying Identity Manager, however, Duke is rolling out IBM's SAN Volume Controller to better monitor its SAN. Although this is not yet in production, Rodriguez says that the move was prompted by growing volumes of data on the SAN.

The University's health system currently accounts for 130 of the SAN's 170 storage volumes, with the remainder allocated to the Duke campus. Only 90 percent of health system data, however, is currently held on the SAN, and Rodriguez is planning to migrate the remaining 10 percent at some point in the future. "[The] targets for expansion are data in remote data centers."

— James Rogers, Senior Editor, Byte and Switch

  • BMC Software Inc. (NYSE: BMC)
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • EMC Corp. (NYSE: EMC)
  • Hewlett-Packard Co. (NYSE: HPQ)
  • IBM Corp. (NYSE: IBM)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 10/1/2020
    9 Tips to Prepare for the Future of Cloud & Network Security
    Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
    Attacker Dwell Time: Ransomware's Most Important Metric
    Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-5788
    PUBLISHED: 2020-10-01
    Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to delete arbitrary files on disk via the admin/system/admin/certificates/delete action.
    CVE-2020-5789
    PUBLISHED: 2020-10-01
    Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to read the contents of arbitrary files on disk.
    CVE-2020-9486
    PUBLISHED: 2020-10-01
    In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
    CVE-2020-9487
    PUBLISHED: 2020-10-01
    In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, ...
    CVE-2020-9491
    PUBLISHED: 2020-10-01
    In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues...