By Ed Simcox, Healthcare Practice Leader, and Ron Temske, Vice President, Security Solutions, Logicalis US
Cybersecurity is one of the most important issues on healthcare CIOs’ minds, and it will, of course, be one of the most talked-about topics at HIMSS17. Some of the challenges leaving hospitals most vulnerable to attack, however, are also among those that are most difficult to identify and solve.
While all breaches are not directly related to the electronic health record (EHR) or billing systems, that’s where cybercriminals tend to go first to acquire valuable patient data. But there are key aspects of securing patient information within the EHR and across the healthcare network that must be addressed holistically to thwart attacks from cyber adversaries in the health IT space.
We need to balance ease-of-use and ease-of-access to patient data with the ability to secure protected health and billing information not just within the health entity itself, but across all member health organizations that support it. Understanding data flow and system connectivity is key, as is examining the systems and human interaction of patient information throughout its entire lifecycle.
At Logicalis Healthcare Solutions, we’re telling our clients they need to take an architectural approach to security, looking at the whole organization and all data interaction points, not just the sum of its parts. Don’t fall prey to best-of-breed solutions which are often deployed in isolation. Without proper integration and sharing of actionable threat intelligence, you won’t have an effective holistic view of your security.
With HIMSS just around the corner, we brought our top healthcare IT and security experts together to talk about the issues, and we came up with a list of the five security concerns we think will be most important to healthcare CIOs in the coming year – topics we expect to hear a lot about at HIMSS17 and beyond.
Security of EHR Environments
Today’s top EHR providers – companies like Epic, Meditech and Cerner – offer very clear guidance to hospitals regarding the architecture of their computing environments. These prescriptive guidelines, while created to ensure the functionality of the EHR solution, can also constrain the healthcare CIO from enhancing security to protect the patient information contained within the EHR system. The burning question on many healthcare IT pros’ minds, therefore, is how to secure an EHR application and its associated data without interfering with or degrading the application itself. To build an effective data perimeter that works in cooperation with these top vendors’ EHR applications, you may need an experienced solution provider’s help.
Think of the sheer number of users that legitimately log on to a hospital’s wireless network daily – patients, family members, visitors, physicians, subcontractors (i.e., visiting surgeons, for example) – extremely high volumes of network traffic to monitor. Which is better – knowing that “Guest 321” has just entered a secure area or that “John Smith” has entered it? And, to take the issue of authentication a step further, since hospitals often have computing terminals in every patient room, if a doctor logs into the EHR system to upload patient notes, but forgets to log out, protected health information becomes easily penetrable by cyber adversaries as well as well-meaning patients, their family and guests. Single-sign-on solutions with scheduled timeouts is an example of an effective tactic to help resolve these concerns.
Preservation of Identity
While authentication is critical, so too is the preservation of user identities. With the virtual desktop infrastructure (VDI) hospitals typically use in their EHR environments, user identity can be difficult to capture and audit. Solutions exist, but if the IT professional delivering the EHR implementation is not familiar with possible security protocols that can preserve the identity of users throughout the system, these safeguards won’t be enacted.
Proliferation of End Points
In a hospital setting, there are a myriad of computing devices in play – desktop and mobile computers, tablets, smartphones – any of which can be used to deliver malware or even ransomware into the host network. The key is to gate access and deploy tighter controls on what users can see, how they are authenticated and what policies are deployed if a device is lost or stolen.
Internet of Things
One of the newest challenges for healthcare CIOs is the vulnerability inherent in connecting to Internet of Things (IoT) devices; any piece of medical equipment with a built-in operating system – even if it doesn’t have patient data stored on it – can become a “zombie” used for nefarious purposes by a would-be attacker. This challenge is similar to the EHR security issue in that IoT devices are often too small for a security software agent to be loaded onto the device which means you may need to consider a protective data barrier around your organization’s IoT infrastructure.
Want to learn more? If it’s time to step up your security game, start here: Don’t be held hostage by ransomware. Next, read these 10 tough security questions every CIO must be able to answer. If managing a comprehensive security solution is overwhelming your IT department with a continuous swarm of alerts, find out if managed security services can help. Need an experienced healthcare IT partner? Logicalis has nearly two decades of experience helping healthcare CIOs tackle their toughest IT challenges; read our most recent healthcare and security news to learn more, then visit the Logicalis Healthcare Solutions website here: http://ow.ly/SHSX308y7eh.