Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/9/2013
11:32 AM
50%
50%

Health IT Execs' Top Worries: Security, BYOD, Cloud

Personal mobile devices still present huge security challenge, say HIMSS Analytics focus group participants.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Seven senior IT executives who participated in a focus group conducted by analyst group HIMSS Analytics cited data security concerns -- especially those related to the growing use of personal mobile devices -- as among their top challenges. Other pressing issues included the growth in data storage needs and health information exchange.

Although the focus group was small, what the participants said reflected the IT infrastructure priorities of the industry, as represented in a recent survey by the Health Information Management and Systems Society (HIMSS), according to a report on the focus group.

The IT executives lamented their loss of control over device management in a "bring your own device" (BYOD) environment. As one participant noted, "you can't lock down [providers'] personal e-mail."

[ Want more on BYOD in healthcare? Read Halamka Knows Perils And Promise Of Healthcare BYOD. ]

Another participant pointed out that with the proliferation of personal smartphones and iPads in hospitals, "data is exchanged insecurely whether you like it or not," regardless of how many security controls are put in place. Providers tend to find workarounds that can jeopardize data security, several people said.

According to a December 2012 HIMSS survey on mobile devices, 75% of hospitals are using "remote wipe" capabilities to eliminate data on lost or stolen devices. Also, many facilities are using mobile devices to access data but not to store it, noted Jennifer Horowitz, senior research director of HIMSS Analytics, in an interview.

"For the most part, organizations are viewing these devices as access tools and not necessarily as storage tools. They don't want the data [to reside] on the device," she said.

The focus group participants pointed out that the use of wireless networks makes it difficult, if not impossible, to prevent employee use of the Internet for personal reasons. Although some hospitals tried to restrict access to websites such as Amazon, Facebook and Twitter, they found that employees figured out how to reach those sites by using their institution's guest network.

When clinicians are working, rather than playing, they might encounter "drop zones" in their wireless networks where the signals to mobile devices fade out. Participants reported using a variety of solutions to address this problem, including "virtual desktops" that let users who experience a dropped signal pick up where they left off when wireless access is restored. One participant said his institution used a microwave network to transmit and receive data in places where cellular signals are blocked.

Data storage was cited as another problem, mainly because of the spread of data-hungry picture archiving and communications systems (PACS). Among the issues were "the ability to store an ever-increasing number of data-intensive images, challenges in exchanging images created by remote clinicians, and securing images taken with a mobile imaging machine," according to the report.

One participant said his organization had trouble linking to remote sites because the only solution available was "painfully slow." Yet he did not mention the possibility of using a cloud service to store data and applications.

In general, the participants "were approaching the use of cloud computing with caution," the report said. Some executives said they were comfortable with the use of a private cloud hosted by their primary health IT vendor. But they were still more likely to store administrative data in the cloud than clinical data containing personal health information.

One major obstacle to using the cloud, Horowitz pointed out, is the difficulty that providers have had in obtaining business associate agreements (BAAs) from cloud vendors. Under the latest HIPAA rules, providers are required to have BAAs with cloud computing firms. If they don't, they could get in trouble with the government, and they also run the risk of being sued if there is a security breach involving personal health information.

"If hospitals put their information out there in the cloud, and anybody else has access to or control over it, hospitals need to feel secure that the appropriate security mechanisms are put into place," Horowitz said.

Although Microsoft and Box recently announced that they have HIPAA-compliant BAAs, some other public cloud vendors apparently don't. It is unclear, however, why any technology vendor that hosts a private cloud service designed primarily for hospitals or physician practices would not sign a BAA.

Lisa Gallagher, VP of technology solutions for HIMSS, told InformationWeek that in the recent past, "some cloud vendors were reluctant to sign BAAs." But the new HIPAA Omnibus Rule makes it clear that all providers must have such agreements in place with cloud providers. "So, now cloud providers must sign BAAs when their services include receiving and storing PHI [personal health information]."

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
josephmalone29
50%
50%
josephmalone29,
User Rank: Apprentice
5/26/2013 | 10:35:16 PM
re: Health IT Execs' Top Worries: Security, BYOD, Cloud
I can understand that healhcare IT is waiting to see if there is a back lash to BYOD, but if you are using HIPAA compliant data security in your BYOD policy, such as a HIPAA compliant text messaging app like Tigertext, then it should not ever really be an issue. We are going one step further, and actually developing our own app incorporating TigerConnect API by Tigertext, as well as HIPAA compliant email intigration, to make for a secure and easy to use BYOD solution which when combined with our BYOD policy will do a very good job of lowering the BYOD risk.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
5/12/2013 | 5:26:39 AM
re: Health IT Execs' Top Worries: Security, BYOD, Cloud
I guess I can see why a lot of these cloud vendors are reluctant to sign new BAA as the penalties for any breach of patient data can be quite steep, but if you are going to market your cloud as secure enough for PHI, then you better be able to back up your claims. I for one would switch cloud services if my vendor said he didnGt want to sign a BAA. It gives of a sense that your information is not secure with the cloud service.

Jay Simmons
Information Week Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.