Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:50 AM

Duke Revamps Access

Duke Medical Center looks to lock down patient data and ease the strain on IT staff

Duke University Medical Center is currently overhauling its security and storage operations in an attempt to lock down its critical data and meet its regulatory commitments.

Rafael Rodriguez, the Medical Center's associate CIO, says the organization is looking to ease the strain on its helpdesk by deploying Tivoli's Identity Manager software to handle passwords across a slew of complex medical systems.

"About 40 percent of the calls to our helpdesk are for password resets," he explains. With Identity Manager, end users can reset the passwords themselves, and these can then be synchronized across medical systems, laptops, and workstations.

With around 1,500 faculty physicians and over 800 staff members, setting and resetting passwords has traditionally been something of a logistical nightmare for Rodriguez and his staff. "Some end users had as many as 20 different applications, so you can imagine this was quite a high pain point," he explains.

After choosing Tivoli earlier this year, the Center is now deploying the software, and Rodriguez expects to have the password system in production mode in the fourth quarter. Initially, he says, the organization will roll out Identity Manager across six key applications, followed by another six by the middle of 2008.

"Our primary focus is clinical applications," he explains, adding that a patient information application and the hospital's system for ordering medications will be amongst the first to get the new password protection. "We also plan to manage the passwords for our email systems."

The applications are hosted on two IBM pSeries mainframes running the AIX operating system. These, in turn, are linked to the university's 170-Tbyte SAN, which is built from Cisco MDS Directors and hardware from HP, IBM, and Sun.

Rodriguez explains that the password lockdown will be particularly useful during the summer when the Center gets an influx of doctors. "This month, we have the new class of residents coming in," he says. "This will make the process of setting up passwords and setting up accounts on the different systems automatic."

Duke is also looking to boost its internal security. For example, if a doctor or nurse forgets to sign off from a computer linked to the patient records system, the software monitors the device and ends the session, requiring the next user to sign on again.

Although he would not reveal specifics, Rodriguez says that the Center spent "several thousands of dollars" on the Tivoli product, although he is looking for a speedy ROI. "I expect that we would get a return on this investment in the next couple of years."

In addition to Tivoli, Duke also looked at a product from BMC for handling its passwords, although Rodriguez says that the former won out thanks to its ability to support a range of different systems. "Tivoli made a commitment to do this work with us in the academic medical environment, which is complex," he says, adding that Identity Manager was also competitively priced.

The deployment, according to Rodriguez, is also helping the University meet its Health Insurance Portability and Accountability Act (HIPAA) commitments, which dictate who can access patients' medical records. (See Users Self-Destruct on Governance.) "Because all the passwords are synchronized, the end user can set up stronger passwords [so] they don't have to write them down," he explains. "[So] there's less risk that the passwords will be compromised."

Additionally, the Center is better positioned to meet the stringent audit requirements of HIPAA. "Identity Manager has its own audits of people who have changed passwords and audits of who is accessing the system," says Rodriguez.

But the exec admits that deploying this type of technology in a byzantine multi-system medical environment is easier said than done. "The challenge is that this is a complex environment because we have a lot of different applications working together."

At the same time it is deploying Identity Manager, however, Duke is rolling out IBM's SAN Volume Controller to better monitor its SAN. Although this is not yet in production, Rodriguez says that the move was prompted by growing volumes of data on the SAN.

The University's health system currently accounts for 130 of the SAN's 170 storage volumes, with the remainder allocated to the Duke campus. Only 90 percent of health system data, however, is currently held on the SAN, and Rodriguez is planning to migrate the remaining 10 percent at some point in the future. "[The] targets for expansion are data in remote data centers."

— James Rogers, Senior Editor, Byte and Switch

  • BMC Software Inc. (NYSE: BMC)
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • EMC Corp. (NYSE: EMC)
  • Hewlett-Packard Co. (NYSE: HPQ)
  • IBM Corp. (NYSE: IBM)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Cloud Security Startup Lightspin Emerges From Stealth
    Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
    Look Beyond the 'Big 5' in Cyberattacks
    Robert Lemos, Contributing Writer,  11/25/2020
    Why Vulnerable Code Is Shipped Knowingly
    Chris Eng, Chief Research Officer, Veracode,  11/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: We are really excited about our new two tone authentication system!
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-12-01
    containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that...
    PUBLISHED: 2020-12-01
    FusionCompute versions 6.3.0, 6.3.1, 6.5.0, 6.5.1 and 8.0.0 have a privilege escalation vulnerability. Due to improper privilege management, an attacker with common privilege may access some specific files and get the administrator privilege in the affected products. Successful exploit will cause pr...
    PUBLISHED: 2020-12-01
    HUAWEI nova 4 versions earlier than and SydneyM-AL00 versions earlier than have an out-of-bounds read and write vulnerability. An attacker with specific permissions crafts malformed packet with specific parameter and sends the packet to the affected prod...
    PUBLISHED: 2020-12-01
    HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
    PUBLISHED: 2020-12-01
    HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.