Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/6/2011
03:57 PM
50%
50%

Healthcare Data Security In Transition

Hackers are not as big a problem as insiders snooping on electronic medical and financial records, and the legal penalties for violating security rules are getting tougher.

Health IT Boosts Patient Care, Safety
(click image for larger view)
Slideshow: Health IT Boosts Patient Care, Safety
As hospitals shift their security efforts, healthcare data security is in transition. External hackers are less of a concern these days than insiders snooping on electronic medical and financial records. Hospitals are exchanging more data with small physician practices that may not have adequate safeguards in place, while mobile devices are extending networks far beyond institutional walls. Plus, federal privacy and security standards are getting stronger, as are the penalties for violating those rules.

"Your biggest [threats] are internal," Terrell Herzig, information security officer for the University of Alabama at Birmingham Health System (UAB), said Tuesday at a health IT conference in Atlanta. Employees have been known to take unauthorized peeks at the records of VIPs such as local celebrities or prominent citizens, and with more than 50 million uninsured Americans, there is a thriving black market for stolen and fraudulent health plan identification numbers.

"We're emphasizing awareness and education" for employees and medical staff, said Mark Moroses, chief information officer of Continuum Health Partners, a five-hospital system in New York City. "We try not to have a heavy hand in a less-than-egregious breach. The education loop is what we focus on."

Still, after a local newspaper exposed security vulnerabilities at a Continuum hospital by getting an insider to point out how to access patient records, Moroses helped authorities arrest and prosecute the employee, who, it turned out, had stolen patient identities at another hospital but hadn't been caught. "We did a better job of collecting the evidence," Moroses said.

"You can't lock down everything," said Cigdem Delano, chief information officer at Morehouse School of Medicine (MSM) in Atlanta said. "No matter what you do, there's always going to be a human factor."

Meanwhile, security and compliance officers are trying to strike a delicate balance between protecting their data and making the IT systems so difficult to navigate that users -- particularly those fickle creatures known as physicians -- rebel.

"You can also have too much security," Delano said. At least one person in the MSM legal department wanted Department of Defense-level security in the clinical IT server room, he said. But the medical school isn't doing anything with national security implications such as bioterrorism research.

On the other hand, UAB has some contracts with the National Institutes of Health that involve potentially sensitive data, but didn't want to frustrate end users by forcing them to enter complicated passwords each time they turned away from the computer for a few seconds. Herzig and his team chose thin clients with two-factor authentication in the form of smart cards. If users remove their cards without logging out, their sessions stay frozen. They can reinsert the cards at other workstations and simply re-enter a personal identification number to resume working.

Continuum has essentially turned its computers-on-wheels into dumb terminals, Moroses said, and by next year will only have thin clients available to most end users. This is what Mike Wall, CEO of DICOM Grid, a Phoenix-based provider of cloud storage and archiving of digital medical images, calls a "zero footprint" from a security standpoint: no data stored on local computers.

"The whole zero-footprint thing is great," said Herzig, particularly in the age of mobility. "We made the decision that we were going to manage data, not devices," he said.

Sometimes, though, it's impossible to keep all data in-house, especially as an increasing number of patients ask for electronic copies of medical records and images. That's where encryption comes in. Herzig spoke of finding a CD clearly marked with a patient's name lying in the hospital's parking lot. The image on the disc was not secured.

This apparently is a common occurrence. "Every facility I go to, there's a CD problem," said Wall, whose company, of course, has an interest in moving images to the cloud.

According to Moroses, only in the past two years or so have major information security vendors been able to offer healthcare organizations end-to-end encryption products and services. Before then, it was rather piecemeal.

"We went through what I affectionately call encryption conniptions," Herzig adds. "It's got to be continuous across the whole space."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...