The digitization of the healthcare industry – patients are being chronicled from their very first ultrasound – has had many benefits to patients, associates, doctors and even IT staff. But this new information and our growing reliance on technology have also introduced new levels of risk. Healthcare IT is tasked with continuously providing new types of security solutions to combat ever-growing persistent threats. Even with new technologies, breaches and malicious intrusions still happen to healthcare organizations and the unnerving part is the magnitude of data loss experienced.
Let’s take a look at the top three breaches over the past few months:
Number affected: About 780,000
How it happened: Reports show that a weak password was to blame for the hacking. The attack occurred against a network server containing patients’ Social Security numbers and data on children’s health plans.
Number affected: About 315,000
How it happened: Emory Healthcare reported that 10 backup disks went missing from a hospital storage facility. These disks contained information on surgical patients over a span of 17 years (1990–2007). The disks also contained Social Security information for about 228,000 patients as well as data around names, dates of surgery, diagnosis and medical procedure codes. Names of corresponding doctors could be found on the disk records as well.
Number affected: About 230,000
How it happened: Reports indicate that an employee in the Medicaid program moved personal information for about 230,000 Medicaid beneficiaries to his personal email account. The illegally transferred information came from 17 separate spreadsheets. These spreadsheets included names, phone numbers, addresses, birth dates, Medicaid ID numbers as well as Social Security numbers of those with Medicaid IDs.
With these examples in mind, it’s important to look at ways to prevent these types of attacks from happening. New types of security measures can help with the logical part of the conversation – but what about physical risks? What about storage facilities and backup disks? The conversation around healthcare data security must extend beyond data loss prevention (DLP) and intrusion prevention system (IPS) solutions. While they’re important, there are other vital components as well.
Enforce sound security policies – The key word here is enforce. Many healthcare organizations put in place solid security policies – only to not follow them. Any lag in security protocol can and does lead to a security breach. For example, a weak password, unlocked door, unsecured USB port can all lead to serious security holes. Modern healthcare security policies span software, hardware, mobile devices and many locations. The only way to stay ahead of hackers and other threats is to enforce quality security policies.
Never forget about physical security – Hacking or a data leakage can be pretty bad. But what if someone actually steals a blade? Or what if someone decides to take a few backup disks? Both of these scenarios can and will create a data breach incident even though no “hacking” occurred. Physical security at the healthcare data center level is a must. This means bringing in biometric scanners, locked racks, delegated sets of administrator duties and good security systems. Though this can be an investment, the alternative is the loss of 315,000 patient records.
Deploy next-generation security – Next-generation security is a great buzz term with far too much meaning. The reality here is that healthcare organizations, to be proactive, must have DLP, IPS and intrusion detection systems (IDS) and other solutions in place. This could also include technologies like application firewalls, Distributed Denial of Service (DDoS) protection at the gateway and much more. However, next-generation security also falls within the borders of the healthcare environment. Network scanners, virtual appliances and other technologies can be placed within the infrastructure to scan for anomalies or irregular behavior.
Don’t forget to lock down the endpoint – What is an endpoint these days anyway? With IT consumerization, mobility and BYOD the definition of an end-user device has certainly evolved. Now, clinical staff can use phones, tablets, and personal laptops to access the network and patient data. These devices – although very helpful to the user – create new types of security challenges. Still, that’s no excuse for lax security measures. New technologies can scale the entire line of devices and help healthcare organizations secure the endpoint. Consider this:
VDI: Hate it or love it – by eliminating the endpoint and delivering the entire desktop via VDI, you create a lot of control.
Thin-clients: The backbone infrastructure has advanced so much that fat PCs are no longer needed at the endpoint. More organizations are delivering virtual applications and desktops to thin-client endpoints.
Endpoint security: Even with a PC at the user level, administrators have numerous technologies which can basically disable everything on a computer except a monitor, mouse and a keyboard. With proper utilization of these technologies, and a good DLP system – the copying of corporate resources to personal devices/emails will be blocked.
Mobility security: Unless it’s a corporate healthcare device – forget trying to control the hardware. It makes a lot of sense to try and manage the workload that’s being delivered. In that sense – policies, user groups, and other security protocols can be used to control what users see on their mobile devices.
Furthermore, the technology to help control BYOD has come very far as well. Some vendor solutions create a lot of options around device security. Do some of these solutions require an investment? Most likely they will. However – think about what happens when poor security protocols are enacted. Or, when security policies aren’t property applied. The ramifications of a security breach can be extremely costly from an overall image as well as infrastructure perspective.
Healthcare IT facilities must take the security equation to a new level by combining the logical and physical. This means having proactive security protocols around all layers of the healthcare environment. The dependence on healthcare IT systems will only continue to grow. This means more data on servers and the potential for more risk. Take the time to develop your security plan to encompass all known possible threat vectors.
Bill Kleyman, MBA, MISM, has heavy experience in network infrastructure management. He has served as a technology consultant and taken part in large virtualization deployments while be involved in business network design and implementation. He is currently the Virtualization Architect at MTM Technologies Inc. and his prior work includes Director of Technology at World Wide Fittings Inc.