PHOENIX – With security breaches involving medical data on the rise, experts say hospitals must become proactive in managing their vulnerabilities.

Rob Israel, CIO of the Phoenix, Ariz.-based John C. Lincoln Health Network, said his hospital needed to better manage the risk of  "unmanaged removable media" like thumb drives, floppy disks and CD burners, which are used by hospital staff and physicians everyday. 

Ninety percent of cyber attacks go after known vulnerabilities, said Paul Zimski, vice president of Market Strategy with Scottsdale, Ariz.-based Lumension, a provider of operational endpoint security solutions. He said this type of media cannot only be lost or stolen, but it can also introduce viruses and other malware.

"Seventy percent of all serious incidents are sparked by insiders because they have direct access to your most sensitive data," said Zimski.  Most threats occur from misuse or by accident, he adds. 

Zimski said banning these devices isn't a realistic solution, so hospitals should enforce encryption policies.

Israel said his hospital had plenty of security policies, but they weren't doing enough to enforce them. Using Lumension's Operational Endpoint Security solutions, he said, they automated their policies.

Lumension took a new approach to malware by whitelisting the hospital's more than 700 trusted applications and allowing them to reside on the network. If a new application is introduced, hospital officials can choose to monitor or block it.

Lumension also provided automatic alerts and reports of policy violations and audit trials so hospital officials could see what their end users were doing.

"Most of your risk can be dealt with though new technologies - by proactively removing risk," said Israel. "But security technology without policy and education will not be effective."