Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/6/2011
03:57 PM
50%
50%

Healthcare Data Security In Transition

Hackers are not as big a problem as insiders snooping on electronic medical and financial records, and the legal penalties for violating security rules are getting tougher.

Health IT Boosts Patient Care, Safety
(click image for larger view)
Slideshow: Health IT Boosts Patient Care, Safety
As hospitals shift their security efforts, healthcare data security is in transition. External hackers are less of a concern these days than insiders snooping on electronic medical and financial records. Hospitals are exchanging more data with small physician practices that may not have adequate safeguards in place, while mobile devices are extending networks far beyond institutional walls. Plus, federal privacy and security standards are getting stronger, as are the penalties for violating those rules.

"Your biggest [threats] are internal," Terrell Herzig, information security officer for the University of Alabama at Birmingham Health System (UAB), said Tuesday at a health IT conference in Atlanta. Employees have been known to take unauthorized peeks at the records of VIPs such as local celebrities or prominent citizens, and with more than 50 million uninsured Americans, there is a thriving black market for stolen and fraudulent health plan identification numbers.

"We're emphasizing awareness and education" for employees and medical staff, said Mark Moroses, chief information officer of Continuum Health Partners, a five-hospital system in New York City. "We try not to have a heavy hand in a less-than-egregious breach. The education loop is what we focus on."

Still, after a local newspaper exposed security vulnerabilities at a Continuum hospital by getting an insider to point out how to access patient records, Moroses helped authorities arrest and prosecute the employee, who, it turned out, had stolen patient identities at another hospital but hadn't been caught. "We did a better job of collecting the evidence," Moroses said.

"You can't lock down everything," said Cigdem Delano, chief information officer at Morehouse School of Medicine (MSM) in Atlanta said. "No matter what you do, there's always going to be a human factor."

Meanwhile, security and compliance officers are trying to strike a delicate balance between protecting their data and making the IT systems so difficult to navigate that users -- particularly those fickle creatures known as physicians -- rebel.

"You can also have too much security," Delano said. At least one person in the MSM legal department wanted Department of Defense-level security in the clinical IT server room, he said. But the medical school isn't doing anything with national security implications such as bioterrorism research.

On the other hand, UAB has some contracts with the National Institutes of Health that involve potentially sensitive data, but didn't want to frustrate end users by forcing them to enter complicated passwords each time they turned away from the computer for a few seconds. Herzig and his team chose thin clients with two-factor authentication in the form of smart cards. If users remove their cards without logging out, their sessions stay frozen. They can reinsert the cards at other workstations and simply re-enter a personal identification number to resume working.

Continuum has essentially turned its computers-on-wheels into dumb terminals, Moroses said, and by next year will only have thin clients available to most end users. This is what Mike Wall, CEO of DICOM Grid, a Phoenix-based provider of cloud storage and archiving of digital medical images, calls a "zero footprint" from a security standpoint: no data stored on local computers.

"The whole zero-footprint thing is great," said Herzig, particularly in the age of mobility. "We made the decision that we were going to manage data, not devices," he said.

Sometimes, though, it's impossible to keep all data in-house, especially as an increasing number of patients ask for electronic copies of medical records and images. That's where encryption comes in. Herzig spoke of finding a CD clearly marked with a patient's name lying in the hospital's parking lot. The image on the disc was not secured.

This apparently is a common occurrence. "Every facility I go to, there's a CD problem," said Wall, whose company, of course, has an interest in moving images to the cloud.

According to Moroses, only in the past two years or so have major information security vendors been able to offer healthcare organizations end-to-end encryption products and services. Before then, it was rather piecemeal.

"We went through what I affectionately call encryption conniptions," Herzig adds. "It's got to be continuous across the whole space."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11484
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure.
CVE-2020-11485
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a Cross-Site Request Forgery (CSRF) vulnerability in the AMI BMC firmware in which the web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the u...
CVE-2020-11486
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution.
CVE-2020-11487
PUBLISHED: 2020-10-29
NVIDIA DGX servers, DGX-1 with BMC firmware versions prior to 3.38.30. DGX-2 with BMC firmware versions prior to 1.06.06 and all DGX A100 Servers with all BMC firmware versions, contains a vulnerability in the AMI BMC firmware in which the use of a hard-coded RSA 1024 key with weak ciphers may lead ...
CVE-2020-11488
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which software does not validate the RSA 1024 public key used to verify the firmware signature, which may lead to i...