- A healthcare organization is constantly weighing short-term plans against long-term goals and ensuring that these different projects are properly aligned isn’t always easy. Dale Atkins, Technical Architect at Munson Medical Center of Traverse City, Mich., previously told HeathITSecurity.com that Munson is working on a few proof of concepts for an internally hosted and a cloud-based system.
With those focuses in mind, it’s clear that the Munson will continue to assess how it will use cloud-based technology going forward and make changes along the way. As the organization evaluates potential threats and its comfort level with the risks involved, Atkins offered details on some of Munson’s current projects and how they will affect long-term infrastructure plans.
First, he said one area in which it wanted to mitigate risks was device encryption. As part of its Windows 7 upgrade, Munson implemented BitLocker on all laptops and desktop devices. This provides peace of mind for Atkins and the rest of the IT team because he said it would take “considerable effort” to break into an encrypted hard drive and get data off of it.
Munson is also concentrating on preventing users from downloading sensitive data to a PC or even their own private cloud, also known in healthcare as the “DropBox problem.” Atkins explained how, as part of its Citrix XenMobile mobile device management (MDM) package, users will be able to use Citrix’s ShareFile to access, edit and review files, with those files never actually touching the device. “We needed to provide an alternative that is secure for people to use it for clinical reasons,” Atkins said. “Otherwise, that’s a security risk for us and something we have no control over.”
Once Munson has fully laid out its mobile strategy, Atkins said that the success of moving that data to the cloud would likely have an impact on the possibilities of moving other types of data to the cloud as well. “[For example] doing a lot with business intelligence (BI) and tying a lot of systems to our BI data warehouse,” he said. “That may be something that we move out onto the cloud because the next step, in my mind, is to look at that data and [potentially move it] along with some other static data that isn’t critical.”
And as the cloud providers prove themselves, such as effectively maintaining the security of the data and the uptime, Atkins predicted that there will be more of a comfort level in healthcare organizations in general moving data onto the cloud. At the moment, he sees healthcare systems as relatively easier targets than perhaps financial systems because of the desire to resell Social Security numbers and bank/credit card information to identity thieves.
Atkins believes that one thing healthcare can do as a whole in the short-term is stay up-to-date on patches sent out to remediate malware threats.
Zero-day attacks are hard to do anything with, but the fact that the industry knew about Heartbleed and other malware and we don’t take the time to patch those systems [is a problem] and we need to a better job of that. For example, we had already done our patching, but I had already asked them to go back and look at it again to make sure we didn’t miss anything the first time around. Sure enough, we had a Juniper device that we hadn’t patched and quickly got that taken care of.
Atkins surmised that as a result of these threats, healthcare may be more likely move to cloud computing and offload those vulnerabilities to cloud providers. Since maintaining the security of a network is expensive and it can never be 100 percent secure he said Munson would hypothetically manage its EMR system internally to ensure that it’s secure, and then it can push out the other types of data to the cloud.