Balancing hospital security ‘tricky’
Data security is a multi-dimensional job full of variables that sometimes aren’t noticed until it’s too late. And often these unforeseen breaches are completely accidental, caused by an unsuspecting user.
For the most part, hospitals have sufficiently guarded their systems against threats from malevolent attackers on the outside. But while sophisticated firewall technology and multiple layers of security clearance are effectively shielding sensitive data from intruders, many hospitals are leaving other avenues wide open to a potential breach, authorities say.
One of the biggest internal vulnerabilities, representatives from Portsmouth, N.H.-based BeyondTrust say, is the “misuse of privilege” by hospital personnel.
“In many healthcare environments, people are granted excess privileges,” said Scott McCarley, director of marketing communications. “Not that we want to prevent access, but there are users with too many privileges, such as administrator rights on a Windows PC.”
McCarley concedes that giving users broader authority aids productivity and that implementing restrictions can conceivably hamper workflow.
“It is a tricky proposition to balance security, compliance and productivity,” he said.
BeyondTrust chief technology officer Eric Voskuil says the primary security threat is coming more from malware called Botnet than from destructive viruses.
“It’s a Trojan horse program designed to make money off the attack,” he said. “It doesn’t try to break anything, just implant software so that it can be used for extortion. It controls thousands of computers without anyone knowing it. This is a new emerging threat and is pretty scary.”
To protect systems against this threat, BeyondTrust has designed a Privilege Access Lifecycle Management framework that allows IT staff to access, control and monitor privileged resources and enable a more “granular privilege delegation” of administrator rights, Vokuil said.
Document lockdown
New York-based IntraLinks also focuses on users’ access privileges with regard to document review. Using technology that creates a “virtual data room,” the IntraLinks system serves as a sentry that checks credentials and determines usage levels.
“User functions are based on roles,” said Alison Shurell, vice president of life sciences product marketing. “It may be ‘read only’ or permission to modify content. There are increasing levels of access and control based on each user’s profile.”
IntraLinks developed and honed its system in corporate banking for loan syndication and mergers/acquisitions. By taking paper documents off a meeting table and putting them in cyberspace, it provided a formidable shelter for sensitive information, Shurell said.
For the past decade, IntraLinks has focused on making the same transformation in healthcare, she said, specifically for highly sensitive drug licensing documents and clinical trials. Even so, she said the medical industry is still heavily reliant on paper documents and that poses an ongoing security risk.
“There is one instance where a fax with sensitive information went to a fast food vendor because the phone number was one digit off,” she said. “That cannot happen with our system. We control the distribution to ensure the document gets to the right place and into the right hands.”
The ‘device gap’
Medical equipment is another area of security vulnerability, which is why Indianapolis-based eProtex has created a network to protect critical patient records and clinical technology infrastructure. Executive director Earl Reber points out that a gap exists between devices and networks that leaves facilities open to security breaches.
When evaluating an at-risk device, Reber says the determining factor is whether it connects to the network.
“An EKG machine that downloads information onto a CD might not be at risk, but ICU monitors, PACS images and therapeutic devices such as IV pumps, usually are,” he said. “These devices are covered by the Electronic Protected Health Information section of the HIPAA security rule.”
There are many factors involved in protecting devices within facilities and even in the community, such as in-home glucose monitors, home oxygen equipment and telehealth devices, Reber said. At the hospital level, he commends most IT departments for doing a good job securing the connection between data storage and workstations. Yet across the enterprise there typically is a series of different operating systems and a multitude of interfaces, he said, which makes device security a huge challenge.
In assessing the risk to devices, eProtex evaluates all equipment and gathers information about operating systems, how each device connects to the network, its EPHI status and the types of safeguards needed.
“There are programs to keep the information up to date and keep the ports secure,” Reber said. “You can’t just put antivirus software on a medical device. We evaluate all those factors and offer the security options hospitals and clinics need to protect that information.”