By Ron Culler, CTO, Secure Designs
Today, even the smallest healthcare organization is a technology hub. Multiple IT systems connect providers to patients, medical specialists, online resources, and external providers and staff are increasingly equipped with mobile devices to support their work within and outside the facilities. The regulatory environment is stringent, and new state healthcare exchanges place additional security and privacy pressures on healthcare organizations.
Not all organizations are up to the challenge of providing secure access to network resources, protecting confidential patient information, and ensuring the network is available to all who need it. In 2013, organizations including WellPoint and Affinity Health Plan paid out millions of dollars in fines for HIPAA violations, and a recent survey indicates that about 50 percent of healthcare and pharmaceutical organizations have no formal means of assessing and adapting to the changing threat landscape.
Whatever the size of the healthcare organization, the same information protection obligations apply across multiple areas of the network: the network perimeter, internal systems (not just PCs, but also networked printers and photocopiers), outsourced consultants’ communications, and remote and mobile devices must all be secured. The systems are intricately interlinked, but the most critical aspects of network security for healthcare organizations can be broken down into six key areas.
The HIPAA legislative framework requires healthcare providers to ensure that every piece of patient data, regardless of location, is safe from attack. Organizations therefore need to map their security systems to every requirement laid down by HIPAA, including specifications for access controls, audit controls, integrity, authentication, transmission security and detection and prevention of intrusions and attacks. Robust reporting is a subsidiary, but key requirement, as healthcare providers must be able pass regular inspections by demonstrating evidence of their security mechanisms successfully at work. Reporting, monitoring, and management controls are major aspects of HIPAA compliance. It’s essential to have a system providing central management and insight into all firewalls, backup and recovery systems, secure remote access devices, and email security appliances from a single location. IT administrators must be able to monitor their entire security infrastructure at a glance and have a streamlined mechanism to create any reports necessary to comply with HIPAA regulations.
Unauthorized access to a hospital network could jeopardize the hospital's day-to-day business, not to mention the health of a patient. The firewall provides the first line of defense against network security attacks of all types. In practice, this means an emphasis on dynamic security at the healthcare network periphery: one or more multi-layered gateways or firewall devices incorporating anti-virus, anti-spyware and anti-malware, intrusion detection and prevention, and content security to control undesirable or unproductive Internet content. I think it’s fair to say that any firewall, device or software program that requires constant management by the user organization or IT department is likely to find itself a few cyber-threats behind the times within a very short space of time. Who has time for manual patch management? The complexity and time sync inevitably lead to people making value judgments about the importance of this or that patch, often with disastrous results. This goes some way to explaining the widespread popularity of unified threat management (UTM) firewalls, which are constantly updated with the latest patches, protection and updates without requiring intervention on the part of the end user.
Remote access to clinical systems has revolutionized the healthcare industry, equipping mobile care providers to make massive improvements to patient care and outcomes. Radiologists can examine x-rays and CT scans from their home office. Specialists can diagnose specific stroke symptoms over a video link. Hospice care nurses, social workers, and chaplains can access electronic medical records in the field as they provide in-home support for end-of-life patients. In all these scenarios, remote access systems providing secured connections to the core network, either via SSL (secure socket layer) or by VPN (virtual private network), are key to ensuring compliance with HIPAA regulations while maintaining patient confidentiality.
Mobile diagnosis carts, laptops, printers, telemedicine systems — the wires are disappearing faster than you can list the devices used by healthcare professionals. For mobile caregivers in or out of the facility, wireless means immediate access to patient information, whenever and wherever it is needed. But wireless security solutions need to offer more than simple traffic encryption for security. A must-have for healthcare providers is an integrated firewall and secure wireless system to inspect and encrypt traffic, enforce common security policies over both wired and wireless networks and detect and disable rogue access points or devices.
No healthcare organization wants to see patients’ confidential information leaked into the public domain. Larger organizations are able to deploy email servers. However, for smaller organizations, hosted email encryption services are the answer. These services ensure that the right recipients open the communications intended for them using simple login mechanisms. Email encryption services also provide automatic scanning of all content and attachments to ensure that the communication itself is not compromised. Establishing a centralized, policy-based email encryption system also assists with regulatory compliance
Preserving the integrity of patient data is a twofold task. Data in transit is actually quite difficult to intercept without physical access to the network. Data at rest, on the other hand, offers ripe pickings. Patient information in databases and file systems stored on network and file servers contains details of credit cards, social security numbers, and sensitive personal facts that spell big money to the cybercrime community. This is why it’s essential to use encryption software to protect the data on PC or laptop hard drives, USB sticks, portable storage devices, data backup and recovery systems, and disk folders.
In summary, security needs to be integrated throughout the overall architecture to protect the integrity of patient data and the healthcare provider’s infrastructure assets to the level deemed appropriate by regulatory bodies as well as by professional standards. Furthermore, security should be considered a process, not a product solution that can be deployed in isolation from the other activities in the organizations. Healthcare professionals can therefore be forgiven for wanting to leave IT security to someone else while they get on with the job of making patients’ lives better — and that’s the way it should be. Network security is so highly complex and evolutionary that it’s a task best handled by experts. Healthcare providers can rely on managed security experts who will take care of everything from updates and patch management to reporting, monitoring, and remediation.