Académique Documents
Professionnel Documents
Culture Documents
Creating a security strategy that spans three years or more can prove to be redundant. Neal Mullen discusses why
Neal Mullen
Group Deputy Director of ICT St. Vincents Healthcare Group Ltd Ireland
he Roman God Janus had two pairs of eyes, one pair focused on what lay ahead and the second pair on what lay behind. When we review our security strategies with this in mind, what we have prepared for today needs to be remembered tomorrow and what we are preparing for tomorrow needs to be thought of yesterday. Clearly this is a challenge and one that is not restricted to the healthcare sector. I think the days of signing up to a three year security program, strategy and security based solutions are not viable anymore, just because it worked ten years ago doesnt mean it will work now. With growing numbers of sophisticated and financially driven security threats, it is not possible to create a
With growing numbers of sophisticated and financially driven security threats, it is not possible to create a static three to five year security strategy anymore
static three to five year security strategy anymore. If personal data is the prize, healthcare organisations are prime targets. Gone are the days when we could say we are not high profile enough. One of the biggest challenges facing security strategies for many healthcare organisations is the range and age of the equipment they need to protect. On one side of the business they are bleeding edge, on the other they have legacy systems with various home grown or bespoke systems in between. The security threats we are protecting ourselves against today are different to the ones last year and they will be very different next year. Access to healthcare data has changed, users require increased collaboration with their colleges
and they require real-time access patient data. Technology is a driving force here, users of such technology have become extremely adaptive, and we as ICT professionals must also be adaptive. The change in how healthcare data is accessed should be considered as a revolutionary innovation process and not an evolution of how things worked in the past. Healthcare security professionals and IT administrators are facing new challenges coming from many new directions, for some it is sink or swim and for others it is an opportunity to fundamentally change how access to medical data is granted and be part of what I consider as a technology shift in how healthcare services are provided. I encourage you to be part of the latter. Healthcare institutions are no longer silos of patient data, accessible by only the most senior healthcare staff. The modern hospital has become a very complex environment, one where data is one of the most valuable and valued assets. The traditional modular IT structure of hospitals in the past have become totally integrated, where everyone that is required to have access, now has it. While this fully integrated or federated model has created an efficient healthcare system, the same model has introduced an entirely new IT platform with new security risks. Our job is to identify solutions to these risks, solutions that will encourage further development of this integration and not act as a blocker. It is essential that healthcare IT Departments become an enabler throughout this process if we are to be part of this healthcare transformation. It is very exciting time to be working within the healthcare sector, a time of transformation fuelled by the explosion in use of technology and
44
www.hospitaliteurope.com
44 Mullen.indd 44
25/07/2011 12:06
reform. Mobile and connected health solutions are a reality and are here to stay. This creates an entirely new security arena, perimeter security is moving from our datacentres, as healthcare ICT professionals we need to rethink how we manage security. I think we need to abandon the traditional security strategy model and move to an ambidextrous security strategy model. The ambidextrous business model has been proven to be very successful; it is time to look at a new model for our security strategy. Security professionals need to have the ability to manage the threats that are currently prevalent, look to the future for new threats while still focusing on the older and bespoke systems that are often unintentionally forgotten about. Mobile healthcare has added another layer on what could have been described as a fairly static infrastructure. I am describing
this new security strategy as an ambidextrous security strategy because of how healthcare organisations are creating data, storing it and providing access to it. If we look at what we have today and what we had in the past, most healthcare organisations had a standard design.
access to all systems. Identity management, user authentication and user authorisation solutions are key requirements. Secondly the level and type of access has changed, mHealth has changed how users gain access and authenticate. This changes the access points and devices used to access our
Mobile healthcare has added another layer on what could have been described as a fairly static infrastructure
Servers and desktops with very little in between, silos of clinical systems that grew organically. Providing security for this type of environment was very simple. It contained perimeter security, server and desktop security and depending on the size of your organisation some filtration and network access control. Hospitals of the future have become unified, single user account with potential systems. Social media is now common place, everyone is on Facebook and LinkedIn, using Skype to communicate, Dropbox for collaboration and using desktop sharing tools like Join Me and Go to Assist. Like it or not our users are leveraging technology, offering a more efficient way of communicating with their peers and patients. So when you are looking to the future for new risks,
www.hospitaliteurope.com
SUMMER 2011
Vol 4 No 2 HITE 45
44 Mullen.indd 45
25/07/2011 12:06
dont just think of new variants of viruses, think of new ways you might lose your data. Will it end up on a file sharing website, will you hear about unauthorised users from other hospitals accessing your sensitive data over a WebEx meeting or will you find users discussing sensitive data on a social media site. Security strategies shouldnt be restricted to focusing on miscellaneous code, security strategies should cover your data, how it is accessed, processed, stored, transported, managed and how accessed is granted and users are tracked while using it. From birth to death, your data is your responsibility; engage your users on that journey. Assuming your organisation is at a mature security level, outside of the core security strategy statement and requirements, I feel most of the remaining elements of your organisations security strategy need to be dynamic and monitored on a daily/weekly basis, depending on how security conscious or paranoid you are. There is a need for a security matrix showing real-time information of how your security systems are preforming, a set of key performance indicators and an alert mechanism. Each system, each entry point and many key departments need to have a full security gap analysis completed and documented. The biggest risk to an organisation is lack of understanding as to what can be lost. Education, awareness and ownership need to be introduced as core elements of any new
security strategy. Security professionals within healthcare need to view security differently, they need to identify user requirements and be more creative with how new security solutions are developed and deployed. What is often called the single plan of glass solution can be expensive and difficult to create. My advice is to divide your estate into manageable pieces, it is only then you will be able to tackle the bigger challenges. It is critical that you build a
Each system, each entry point and many key departments need to have a full security gap analysis completed and documented
baseline and understand how your environment functions when operating normally, how many spam e-mails you get, how much bandwidth an application or department uses or how much processing power a server normally uses. It is only when you understand this; you will ever be able to identify changes in your environment that could be a sign of a threat. Consolidation will help with this management; reduce the number of variabilitys. An example of what I mean here is, single domain, single user accounts, reduce the number of entry points and create a single network. Standardisation if also essential, managing 1000 devices that are configured the same is easier than managing 50 devices that are each different. look at this as a risk and it is a risk if not used correctly but in my opinion it is more exciting that we have medical personnel showing the levels of innovation and creativity to use these technologies to improve services within their working environments. It is this entrepreneurial spirit that we must encourage. If we can capture this spirit and educate users on the best ways to use technology, we will have a winning formula for a better healthcare service. If IT administration is part of this journey, we can address the potential security holes before they actually become a risk. Remember if there was an easy solution or we had no end users there would be no need for IT Departments, our users are our customers, treat them accordingly.
46
www.hospitaliteurope.com
44 Mullen.indd 46
25/07/2011 12:06