5 keys to discovering hidden data security risks
The threat posed to patient privacy by misused IT isn't anything new, and neither is all the "how to" coverage emphasizing the importance of protecting your organization from breaches. But, sometimes that’s easier said than done – something Earl Reber, executive director at eProtex, also agrees with.
“If your organization has some improvement to do in the area of data security, knowing where to start can seem overwhelming,” he said, adding that one needs to "begin to explore these issues deeply and work toward a long-term solution, as opposed to applying a Band-Aid. If you feel you can’t afford the time or resources to address these issues, truly, you can’t afford not to.”
Reber outlines five basic keys to discovering hidden data security risks.
1. Cover the basics. Who at the hospital is responsible for addressing network security risks? “On one side, we have biomedical engineers taking care of medical devices,” said Reber. “On the other side, we have the IT department, [which] takes care of computers, smartphones, and the network infrastructure. Neither side is completely equipped to deal with device security risks, and between them, there’s a ‘Neverland’ of finger pointing over software-enabled or wireless devices, [which] could take down both sides.” Once this dynamic is recognized, on a more basic level, Reber suggests tracking each device and protecting it, making sure your organization’s policies and procedures cover it. He said to look at the availability of your equipment; if it’s vulnerable, or if you can’t guarantee the device will perform on a consistent basis, you may need a different set of standards. This is compared to "devices that don’t carry patient information or don’t have the same availability requirement,” he said. “A different standards for critical care devices may be necessary as well.”
2. Recognize potential ‘launch pads.’ Although every hospital and health system has some level of security protection, said Reber, the most common security-related “blind spot” is software-driven or wireless devices connected to the network. “From iPhones to surgical lights, CT scanners, IV pumps, and smart beds, any device transmitting data to a network is a potential target or launch pad for security breaches if left unprotected,” he said. And often, these breaches are hard to identify, since many times no one is keeping track of the devices. “Worse than a compromised network is the potential risk to patients that a security breach may cause,” said Reber. “It’s one thing for a CT scanner to be down – it’s another if that CT scanner has been impacted in a way that delivers an abnormally high dose of radiation (which has happened).” Every device, he concluded, reacts differently when compromised.
[See also: Data breaches top of mind for IT decision makers.]
3. Hold vendors accountable. Reber says vendors shouldn’t be able to sell you things on incompatible levels of software. “Some make money by allowing outdated software to expire and requiring you to buy an upgrade,” he said. “They may not even remember what’s running on it.” He said to make it clear to vendors that you won’t buy the equipment if you find that’s the case. Additionally, “inventory what you have and what those devices are running on."
4. Fill the clinical engineering/IT gap. With regard to Reber's original point about neither biomedical engineers nor the IT department being completely comfortable “owning” connected device security, one solution, he said, is to implement change management, or getting IT, clinical engineering, and the device owner working together to achieve data and device security. “By implementing a change management process between IT, clinical engineering, and operations, you allow for a common point of contact,” said Reber. “It may also be helpful to ask questions like, ‘How do I get a new static IP address if I’m a clinical engineer or vendor installing a new device?’ or, ‘How do I tell you if I need to change that address?’” he said. If IT has to reboot a switch, he continued, how do they inform clinical engineering? Answering these questions ahead of time, said Reber, will ensure both groups are proactively monitoring and will be ready to act should there be a security breach.
5. Educate individuals on data security. “Prevention begins with education of individuals within a health system,” said Reber. “Physicians [who] run their own practices but are connected to larger health systems are especially important to educate, since they come and go, connect and disconnect from the network frequently.” Start with the importance of password policies, he said, since you may be surprised at how many physicians don’t have one or have passwords “taped to a drawer that everyone can access." Begin to build awareness of these types of risks, and work toward developing a culture of reporting problems. “In 2009, nearly 80 million health records were breached from threats that were not properly assessed, according to the Privacy Rights Clearinghouse,” Reber said. “It’s amazing how much people will tolerate with regard to technical problems; they think they can just hit the ‘reset’ button to fix them. A problem may persist for weeks or years until something bad happens. Teach people that if it doesn’t look right, report it and call for help.”
Follow Michelle McNickle on Twitter, @Michelle_writes