|
 |
|
General Information
|
Add To My Personal Library |
July 31, 2009
• Vol.31 Issue 20
Page(s) 35 in print issue
|
Digital Medical Records
Assess Their Vulnerability
|
| Key Points
• Many healthcare data breaches are the result of security policy violations, including leaving supposedly secure systems unattended in the open.
• Once servers are secured, improper use of client systems and devices, such as for visiting unauthorized Web sites or exchanging data via insecure flash drives, remains a significant risk.
• Changing corporate culture and users’ awareness of security may be the single most important way a company can improve its ability to keep health records safe. | | The April 23, 2009, memo put out by the Oklahoma Department of Human Services now sounds unfortunately familiar. A laptop was stolen from an employee’s vehicle containing the “names, Social Security numbers, dates of birth, and home addresses of clients” from a broad range of assistance programs. The OKDHS director stated that, “the risk of the data being accessed is low because the computer uses a password-protected system.”
Perhaps the thief was only looking for a notebook to hawk for a couple hundred bucks, and whoever fenced it on the street had the sense to wipe the hard drive, oblivious to what was on it. Or perhaps that data is still waiting to fall into the hands of the highest black market bidder. A password alone won’t stop a determined hacker.
In 2006, the Veteran’s Administration had a laptop theft in which the stolen PC contained 26.5 million troop and veteran records. The laptop was recovered. Forensics determined that the data had not been touched, but the VA settled a class action lawsuit over the affair for $20 million. According to Kevin Prince, chief technology officer at security service provider Perimeter (www.perimeterusa.com), “Data breaches are almost synonymous with class action lawsuits these days.” He notes that the average breach costs organizations $2.6 million, but even that pales alongside what could happen if data suddenly turns up missing and stolen right when doctors need it for critical patient care.
21st Century healthcare data must be digital and portable, but it also must be protected. However, many organizations need guidance on how to safeguard their digital assets both during use and after a problem arises.
 Four Risk Vectors
HIPAA requires healthcare organizations to encrypt electronic healthcare data stored on open networks and systems. Unfortunately, encryption will only work as intended if surrounding security policies are maintained. One such policy is bound to prohibit leaving systems carrying sensitive data unattended when in the open, even for a moment.
“Say somebody has a laptop with an encrypted hard drive,” says Perimeter’s Prince. “They’re logged in, doing their work, and they walk away for just long enough for someone to come along behind them and swipe their laptop. The data is open and unencrypted if they’re logged in. As long as the computer doesn’t turn off or require authentication, they can copy out the data or do whatever they want.”
A second and related risk vector deals with security policy violations on proper session authentication. “One of the biggest stumbling blocks for healthcare organizations as they move to full digitization is user authentication,” says James Quin, senior research analyst at Info-Tech Research Group. “If that doctor, nurse, or clinician is flitting between all these wards, beds, and rooms and accessing systems in all of them, a real lack of authentication gets introduced. A lot of organizations will use a blank password and login. The first person in that morning logs in and thereafter everybody uses that account, making it very difficult to track who did what with any given data. If you’ve got an open system at a nurse’s station or in the hallway, anyone walking by can access it.”
If this sort of violation sounds too absurd to be true, it’s not. Such policy breaches happen constantly and in many forms, often because users work under a false sense of security. “Medical people feel like they’ve got safe harbor because they encrypted their data,” says Bill Hunka, director of business development for Absolute Software (www.absolute.com). “That’s the law. But they didn’t realize that in New York State, the law also says that you need to be sure the encryption keys were not tampered with. Well, quite often you have end users struggling to remember all their different passwords. They write passwords down on a pad kept with their notebook. Or they have the RSA token for identity verification in the laptop bag. It’s just the unfortunate nature of humans in IT.”
The third major risk vector occurs when users expose their systems and portable devices to unauthorized outside elements. The most famous example might be the USB flash drive, this decade’s equivalent of the old virus-infected floppy disk threat. All it takes is one plug-in to an infected system, then moving that flash drive back onto a system tied to the healthcare organization’s LAN, even if by a VPN connection. All a VPN does is make sure no one can snoop on the connection between client and server.
Far less obvious is the newer role played by malicious code lurking on Web sites. Malicious code can reside on sites intentionally or be hidden as the result of undetected hack attacks. According to Perimeter’s Prince, “In the last year, something like 80% of the top 100 Web sites have been compromised and had malware installed on them for a day or several days.” This includes generally trusted sites. When someone visits a site containing malicious code, the visiting client PC can be compromised and ultimately hand over information (including username and password) or even full control to a remote hacker. As Prince asks, why go through the trouble of coding exploits and breaking through a firewall when a hacker can let malicious code do his work for him? This is why an increasing number of organizations are enforcing white rather than black URL lists, dictating the few sites a browser can visit rather than blocking the few it can’t.
The fourth and probably most dangerous risk vector is malicious insiders. According to Absolute’s Hunka, 30 to 50% of data security breaches are internal jobs. All it takes is one disgruntled or even a desperate employee feeling today’s economic pressures to conduct an internal data breach far more damaging than any outside hack attack could be. This is why access to critical data must be confined only to the employees who really need it, so as to reduce the risk footprint.
Solutions
The task of safeguarding healthcare data can seem daunting if not impossible, but there are some basic, even inexpensive steps that can be taken to dramatically improve an organization’s odds against data breaches.
Perimeter’s Prince recommends that all enterprises enforce ongoing security training—not just once every year or quarter but at least one hour every month, with each new session covering a new topic. The object is to gradually shift the corporate culture into a mindset of security and keep end users abreast of current risks. It’s also equally important to test users to make sure the teaching is taking root. When Perimeter analyzes an organization’s security, 75% of end users tested will give out their username and password information to strangers (Perimeter representatives purporting to be someone else) over the phone. So the most important thing is to keep educating. “If anyone goes into security thinking they’re going to do X, Y, and Z and be done, they’re hosed,” says Prince. “They’ll eventually be hacked and breached and wonder how it happened.”
After training and cultural security awareness, look for ways to improve the security of client systems. Much of IT’s security focus stays on servers. But all it takes is one compromised client to create a data breach firestorm. Software-based encryption is widely considered to be inferior to hardware-based encryption that resides within the hard drive. Until recently, there was no industry standard for such encryption, but now the Trusted Computing Group has finalized its “Opal” specification. With Opal, all data on the drive, even the base OS files and MBR (master boot record), is encrypted from the moment of installation. Because encryption is handled by a processor within the drive, there’s no impact to system resources and no way for users to not enable the security.
“Protecting consumers’ health information now is much easier and efficient because of the growing availability of self-encrypting drives that do strong encryption on the fly, all the time, and in a way that the data cannot be attacked,” notes Brian Berger, director of the Trusted Computing Group (www.trustedcomputinggroup.org). “These drives are available as a factory-installed solution from many OEMs and are relatively inexpensive. We’re seeing the healthcare market adopting and rolling out fully encrypted drives in data centers, notebooks, and desktop PCs used by doctors and their staffs, at little incremental cost and with no change of behavior for the users.” 
by William Van Winkle
Protect Data On Laptops
The physical cost of a stolen laptop is a fairly minor concern to most organizations. It’s the data on the laptop that matters. But without having the system in-hand for analysis, you won’t know if patient records have been compromised or not. This is why recovery of the notebook can be so critical.
Along with Trusted Computing Group’s Opal specification, consider adopting client systems that leverage a hardware-based security platform. Recovery applications can work to identify a stolen laptop when it logs in to the Internet so it can be traced. Even if the hard drive gets wiped and overwritten, such applications still work. Admins can remotely block access to the system’s encryption keys, making data inaccessible, or even block the OS from booting. Combining such technology with encryption greatly increases the odds that thieves will be left with no valuable data. |
|
|
