INSIGHT: DATA SECURITY

Securing todays healthcare IT

Creating a security strategy that spans three years or more can prove to be redundant. Neal Mullen discusses why

Neal Mullen
Group Deputy Director of ICT St. Vincents Healthcare Group Ltd Ireland

he Roman God Janus had two pairs of eyes, one pair focused on what lay ahead and the second pair on what lay behind. When we review our security strategies with this in mind, what we have prepared for today needs to be remembered tomorrow and what we are preparing for tomorrow needs to be thought of yesterday. Clearly this is a challenge and one that is not restricted to the healthcare sector. I think the days of signing up to a three year security program, strategy and security based solutions are not viable anymore, just because it worked ten years ago doesnt mean it will work now. With growing numbers of sophisticated and financially driven security threats, it is not possible to create a

With growing numbers of sophisticated and financially driven security threats, it is not possible to create a static three to five year security strategy anymore
static three to five year security strategy anymore. If personal data is the prize, healthcare organisations are prime targets. Gone are the days when we could say we are not high profile enough. One of the biggest challenges facing security strategies for many healthcare organisations is the range and age of the equipment they need to protect. On one side of the business they are bleeding edge, on the other they have legacy systems with various home grown or bespoke systems in between. The security threats we are protecting ourselves against today are different to the ones last year and they will be very different next year. Access to healthcare data has changed, users require increased collaboration with their colleges

and they require real-time access patient data. Technology is a driving force here, users of such technology have become extremely adaptive, and we as ICT professionals must also be adaptive. The change in how healthcare data is accessed should be considered as a revolutionary innovation process and not an evolution of how things worked in the past. Healthcare security professionals and IT administrators are facing new challenges coming from many new directions, for some it is sink or swim and for others it is an opportunity to fundamentally change how access to medical data is granted and be part of what I consider as a technology shift in how healthcare services are provided. I encourage you to be part of the latter. Healthcare institutions are no longer silos of patient data, accessible by only the most senior healthcare staff. The modern hospital has become a very complex environment, one where data is one of the most valuable and valued assets. The traditional modular IT structure of hospitals in the past have become totally integrated, where everyone that is required to have access, now has it. While this fully integrated or federated model has created an efficient healthcare system, the same model has introduced an entirely new IT platform with new security risks. Our job is to identify solutions to these risks, solutions that will encourage further development of this integration and not act as a blocker. It is essential that healthcare IT Departments become an enabler throughout this process if we are to be part of this healthcare transformation. It is very exciting time to be working within the healthcare sector, a time of transformation fuelled by the explosion in use of technology and

44

HITE Vol 4 No 2 SUMMER 2011

www.hospitaliteurope.com

44 Mullen.indd 44

25/07/2011 12:06

INSIGHT: DATA SECURITY

reform. Mobile and connected health solutions are a reality and are here to stay. This creates an entirely new security arena, perimeter security is moving from our datacentres, as healthcare ICT professionals we need to rethink how we manage security. I think we need to abandon the traditional security strategy model and move to an ambidextrous security strategy model. The ambidextrous business model has been proven to be very successful; it is time to look at a new model for our security strategy. Security professionals need to have the ability to manage the threats that are currently prevalent, look to the future for new threats while still focusing on the older and bespoke systems that are often unintentionally forgotten about. Mobile healthcare has added another layer on what could have been described as a fairly static infrastructure. I am describing

this new security strategy as an ambidextrous security strategy because of how healthcare organisations are creating data, storing it and providing access to it. If we look at what we have today and what we had in the past, most healthcare organisations had a standard design.

access to all systems. Identity management, user authentication and user authorisation solutions are key requirements. Secondly the level and type of access has changed, mHealth has changed how users gain access and authenticate. This changes the access points and devices used to access our

Mobile healthcare has added another layer on what could have been described as a fairly static infrastructure
Servers and desktops with very little in between, silos of clinical systems that grew organically. Providing security for this type of environment was very simple. It contained perimeter security, server and desktop security and depending on the size of your organisation some filtration and network access control. Hospitals of the future have become unified, single user account with potential systems. Social media is now common place, everyone is on Facebook and LinkedIn, using Skype to communicate, Dropbox for collaboration and using desktop sharing tools like Join Me and Go to Assist. Like it or not our users are leveraging technology, offering a more efficient way of communicating with their peers and patients. So when you are looking to the future for new risks,

www.hospitaliteurope.com

SUMMER 2011

Vol 4 No 2 HITE 45

44 Mullen.indd 45

25/07/2011 12:06

INSIGHT: DATA SECURITY

Spend time developing desktop, server and network switch templates, build everyone the same and add the required unique changes afterward. I personally like real-time interactive drawings, there are allot of tools that arent too expensive. If you can draw your environment in Visio, you can add alerts to each part of the drawing; these could be servers, services, links, and bandwidth, really anything your need. Once you have consolidated and segmented your environment, these drawing along with e-mail alerts being displayed on a large screen or screens in your NOC will greatly reduce your administration overhead. You want a solution that at a glance you can see how your SQL clusters or your firewalls are performing. When using historical data, every screen must use the same period of time, I recommend one week, this should give you a good example of how your environment is performing, and it will highlight peaks and dips as they happen. Using this model turns your entire department into security professionals and systems administrators. Day to day, how is this affecting your security strategy? Three or four years ago, probably the most common security strategy was if it moves encrypt it, if it is high risk, block it. Over the last few years, internet based solutions have become focused on ease of use, ease of deployment and greater use of collaboration between individuals and groups. Our end users can go home and within an hour have a shared work place with shared storage to create a dynamic and highly collaborative environment to work in. One could

dont just think of new variants of viruses, think of new ways you might lose your data. Will it end up on a file sharing website, will you hear about unauthorised users from other hospitals accessing your sensitive data over a WebEx meeting or will you find users discussing sensitive data on a social media site. Security strategies shouldnt be restricted to focusing on miscellaneous code, security strategies should cover your data, how it is accessed, processed, stored, transported, managed and how accessed is granted and users are tracked while using it. From birth to death, your data is your responsibility; engage your users on that journey. Assuming your organisation is at a mature security level, outside of the core security strategy statement and requirements, I feel most of the remaining elements of your organisations security strategy need to be dynamic and monitored on a daily/weekly basis, depending on how security conscious or paranoid you are. There is a need for a security matrix showing real-time information of how your security systems are preforming, a set of key performance indicators and an alert mechanism. Each system, each entry point and many key departments need to have a full security gap analysis completed and documented. The biggest risk to an organisation is lack of understanding as to what can be lost. Education, awareness and ownership need to be introduced as core elements of any new

security strategy. Security professionals within healthcare need to view security differently, they need to identify user requirements and be more creative with how new security solutions are developed and deployed. What is often called the single plan of glass solution can be expensive and difficult to create. My advice is to divide your estate into manageable pieces, it is only then you will be able to tackle the bigger challenges. It is critical that you build a

Each system, each entry point and many key departments need to have a full security gap analysis completed and documented
baseline and understand how your environment functions when operating normally, how many spam e-mails you get, how much bandwidth an application or department uses or how much processing power a server normally uses. It is only when you understand this; you will ever be able to identify changes in your environment that could be a sign of a threat. Consolidation will help with this management; reduce the number of variabilitys. An example of what I mean here is, single domain, single user accounts, reduce the number of entry points and create a single network. Standardisation if also essential, managing 1000 devices that are configured the same is easier than managing 50 devices that are each different. look at this as a risk and it is a risk if not used correctly but in my opinion it is more exciting that we have medical personnel showing the levels of innovation and creativity to use these technologies to improve services within their working environments. It is this entrepreneurial spirit that we must encourage. If we can capture this spirit and educate users on the best ways to use technology, we will have a winning formula for a better healthcare service. If IT administration is part of this journey, we can address the potential security holes before they actually become a risk. Remember if there was an easy solution or we had no end users there would be no need for IT Departments, our users are our customers, treat them accordingly.

46

HITE Vol 4 No 2 SUMMER 2011

www.hospitaliteurope.com

44 Mullen.indd 46

25/07/2011 12:06