Is healthcare leaving its guard down?
UNDER NO CIRCUMSTANCES would the U.S. Treasury let new currency leave the mint without being surrounded by armed guards and an armored truck. Yet personal data – as valuable as gold to identity thieves – is often left defenseless as it travels across the Internet and other communication lines outside the hospital, IT security officials say.
Despite state and federal regulations requiring encryption for external data transfer, many hospitals still haven’t felt the urgency to do so, says Ellen Libenson, vice president of product marketing for Agoura Hills, Calif.-based Symark Software.
“I wish I could say the state of information security in hospitals is great, but we haven’t found a lot of organizations that are taking it seriously enough yet,” she said. “They find the consequences aren’t grave enough, the fines aren’t high enough. They would rather take their chances.”
There is a widespread perception in the provider community that data encryption technology is costly and disruptive and that the risk of patient data being intercepted by identity thieves is low. Those impressions are way off, security experts say, as many encryption and other protection devices are inexpensive and simple to install. Moreover, identity thieves view healthcare facilities “as a fertile farm” for data harvesting, Libenson said.
“Blocks of data are easy to grab and sell,” she said. “It’s amazing how much data you see that is still stored in clear text. Encryption is more important than ever, with advanced encryption being ideal.”
Jim Doherty, chief marketing officer and vice president for Raleigh, N.C.-based CipherOptics, agrees that unencrypted data is “extremely vulnerable …whether over lines you don’t own or even within those you do.”
One of the most troubling aspects of cyber crime, Doherty said, is the ability of hackers to intercept data from a transmission without alerting anyone and leaving no tangible indication of the theft.
“It’s not like water traveling through a pipeline where if someone is siphoning it off you notice on the other end,” he said.
The need for safeguarding data has escalated as the healthcare industry’s “inexhaustible appetite for bandwidth” has grown, said Eric Bozich, vice president of IP connectivity and security solutions for Denver-based Qwest Communications. Sophisticated radiology systems with high-resolution images need roomier network channels and thus require the beefed-up security of multiprotocol label switching for shared network services, he said.
“MPLS servers provide a high level of privacy and security,” Bozich said. “It is a new generation way to provide a network service at an economical rate. It helps hospital networks meet bandwidth needs (and) improve efficiencies and cost effectiveness.”
INSIDE THREAT
Usually the biggest threat to data security comes from inside the organization, either from corrupt employees or lax user screening procedures, system vendors say.
“A lot of attention is being paid to enabling access,” said John Grimm, director of market strategy for Framingham, Mass.-based Courion. “We’re in the identity management market so we’re about letting the right people in to do what they’re supposed to do.”
Because healthcare is a heterogeneous environment, Grimm acknowledges that it can be complicated to get each staff member the necessary clearance for every authorized domain.
“New physicians can spend weeks and months in line for all the applications they need to access,” he said. “But we’ve been able to reduce the process of setting up their accounts and applications to a couple of hours.”
A common (and often successful) identity theft strategy is a reconnaissance approach, whereby an insider gains access to one network and works through the system to access others, noted Chandler Hall, vice president of marketing for Huntsville, Ala.-based Arxceo.
“The intrusions we see today start with someone sneaking inside a network and moving through it until they find personal information,” he said. “That is what happened with TJ Maxx – it started with one store and in 17 months went through the entire network until it found credit card numbers.”
Arxceo offers an anti-reconnaissance program run by an appliance costing less than $1,000 that camouflages operating systems and provides a virtual bulkhead to keep information from being compromised.
“It separates areas from each other to prevent someone in the waiting room from sliding in using a laptop to scan and work their way past the customer-friendly wireless system into the infrastructure itself,” Hall said.
CLOAK & DATA
Wyckoff Heights Medical Center’s criteria for an information security system is representative of what most provider RFPs would be: easy to operate, transparent to the end-user, highly secure and reasonably priced. Jack Ksiazek, director of systems and project management for the New York-based hospital, says Palo Alto, Calif.-based Accellion’s Secure File Transfer appliance delivered on all counts.
“It not only secures documents sent back and forth, it has a sophisticated layer of encryption for larger attachments,” he said. “It is done on the back end so users don’t have to do anything extra. A lot of companies say their product is ‘plug and play,’ but this one really is. And it was amazingly affordable.”
Austin, Texas-based Gemalto is tackling information security from the patient’s end, developing a personal health care “smart card” with Broomfield, Colo.-based LifeNexus that links the consumer’s personal, financial, emergency care, insurance and medical information.
“The card takes the burden off the patient and helps the provider manage data and add in protection steps for the patient,” said Jack Jania, Gemalto’s vice president and general manager of secure transactions. “Patient records are mirrored on the provider database, but the data is only referenced to the card, not the patient.”