As HIMSS14 approaches, we are sharing a pre-show guest blog series from health IT industry experts on trends you can expect to hear about at the event. Below is a guest contribution from August Calhoun, Ph.D., vice president and general manager, Dell Healthcare and Life Sciences.
I’ve been using the term “connected security” a lot lately when talking about the need for better data protection, and it’s a term that has special significance to the healthcare community. That’s because much of the security found in healthcare is disconnected.
Healthcare has more security breaches than any other industry (though it seems lately that retail is trying to catch up). That’s true for two reasons. The first is that healthcare records contain personal data that can be used to gain credit and steal identities, which makes those records a high-value target.
The other reason is the organic nature of healthcare IT growth over the past three decades, which has resulted in lots and lots of silos, protected by a patchwork of security tools. The recent trend toward hospital mergers and the acquisition of free-standing ambulatory care centers have created even more silos and complexity, also increasing workloads and competition for IT resources. Add in hundreds of doctors who all want to use their own devices to access the network, and you have a situation in which there is intense pressure, urgent timelines and a high risk for human error. Security gaps are bound to occur.
Clearly, something needs to change. That’s why the idea of connected security is important.
It’s a systematic approach to securing data at all access points, automating and simplifying security maintenance tasks to reduce human error, monitoring the network for intruders and adapting to defend against future attacks.
Keep data behind the firewall
Connected security starts with housing all your data and applications in a secure data center, creating virtual desktops for all users and eliminating storage of data from all devices not housed in the data center. This creates a layer of security around the web of older applications and data silos that exist in many hospitals, instantly reducing their vulnerability.
But users still need easy access to those applications, so you have to build a security system that is good at recognizing and escorting the good guys through the firewall, while identifying the bad guys and keeping them out. Some useful tools include:
• Hardware with embedded encryption capability and other security features.
• USB and drop box encryption.
• Next generation firewalls that can do deep packet inspection to identify malware hidden in seemingly innocent access requests.
• Identity and access control tools that allow you to manage access based on each user’s role within the organization and to efficiently audit the system to ensure that users only access applications and data they are entitled to use.
• Proactive surveillance, to identify new threats, predict future threats, adapt to changing tactics and to tag malware for easy future identification.
• Data center management tools to make security patches and other security updates easy.
Equally important is the ability of these tools to work together.
Encryption and device security are critical
But your security system doesn’t end at the firewall. You need to ensure that data is encrypted during transmission and that the devices used to access your network are secure.
Thin clients that don’t store data and that have built-in security and encryption capabilities can provide safe access points. Especially useful are devices that require at least two forms of authentication, such as the combination of a password and a swipe card, or a password and fingerprint scan. You need to ensure that lost or stolen devices can’t be used to access your network.
The BYOD phenomenon of users accessing your network with their own devices can make this task tricky, unless you limit access to devices that have built-in security and encryption features. The last thing you need is a doctor losing a tablet or smartphone that can be used by anyone to access your network.
Access top security talent by outsourcing
Probably the most difficult part of creating a fully connected security system for most hospitals will be the proactive surveillance and threat prediction. This takes special skills, and not many organizations have the depth of talent to do this effectively. But this is also a task that can be outsourced to a service that employs security experts and monitors traffic for multiple clients. These are folks who see a wide variety of security threats daily, and that experience can help you identify threats in real time, before they do damage, and also help you predict where threats will come from in the future.
While creating an effective, connected security system isn’t cheap or easy, it is an investment that is necessary and long overdue in healthcare. Considering the cost of a single data breach, in terms of fines and damage to your organization’s reputation, the cost of upgrading security is comparatively cheap.
I’ll be at HIMSS, Feb. 23-27 in Orlando, and I hope to have a chance to talk with a lot of healthcare CIOs. Given their concerns about the gaps in data security, I look forward to discussing the idea of connected security and hearing their thoughts on the topic.