The Three Major Security Threats in Healthcare
Nowadays Doctors and Nurses has several mobile devices in order to provide patient care. Virtualization is very important in providing adequate and affordable patient care in the rural health industry. Attempts to breach security happen every day in our agency. Preventing cyber-attacks and security breaches is a never ending battle in network security.
I am an IT professional focusing on network security in the healthcare industry. Every day we monitor the network for phishing/pharming, DoS attacks, Trojans, and other security breaches. Mobile Devices, virtualization and lackadaisical end-users are the biggest threats to network security. Mobile Devices
An article in GCN says it best, “Mobile devices are ubiquitous in today’s society, and the number and types of devices used by physicians, nurses, clinicians, specialists, administrators and staff – as well as patients and visitors – is growing at healthcare agencies across the country.” Nowadays Doctors and Nurses has several mobile devices in order to provide patient care.
Cellphones, laptops, and tablets are of the norm. I can’t remember the last time I had a doctor’s visit and the doctor didn’t update my chart using a laptop or tablet. All of these wireless devices make the network vulnerable. In my opinion wireless security has always been the hardest part of the network to protect because there isn’t a physical connection that can be monitored. End-users don’t always use secure passwords or they share passwords.
At our agency an employee is not allowed to bring in a mobile device other than a personal cellphone to the workplace in order to reduce security breaches. “The Office of Management and Budget, Personal Identity Verification cards had been issued to 3.75 million federal employees as of Dec. 1, 2010, or 80 percent of the government workforce, and to 76 percent of contractors who are eligible to use the cards, about 885,000 contractors.”
My agency uses Personal Identity Verification or PIV cards to gain access to wired devices on the network unfortunately that is not the case for wireless devices. Although we have two-party authentication in place for all devices it would be nice to have tertiary layer such as a smart card or PIV card for wireless devices. I don’t foresee a solution happening for a few years due to the cost in an already financially burdened healthcare system.
It is true that “a reliance on off-the-shelf products means that there will be no PIV card readers available for workers signing on to check e-mail or read a document while out of the office.” Virtualization
The agency I work for specializes in rural healthcare therefore often they don’t have the equipment or the staffing to complete tasks such as reading X-rays, providing behavioral health etc. Over the years we have had to implement Telehealth in order to meet these requirements.
A patient in rural Minnesota may have his or her x-rays read by a physician in Billings, Montana. An individual may have weekly counseling sessions with a psychiatrist that is 500 miles away. Nowadays most healthcare companies use electronic health records to access patient information. Denial of Service DoS attacks happen when a hacker manages to overload a server to render it useless.
A DoS attack is prevalent and damaging in virtualized environments and can preventsthe physicians and nurses from retrieving a patient’s information. If they are unable to access patient history to include what medications they are on or what they may be allergic to etc then they are unable to provide or give the wrong patient care which could be deadly. Therefore virtualization is very important in providing adequate and affordable patient care in the rural health industry.
Our agency has mandatory computer security and security training every year in an effort to preempt attacks on the network. This mandatory training is required to be taken by every employee including the IT department. Attempts to breach security happen every day in our agency. Although we have security measures in place we have to constantly educate our end users on how to handle suspicious activity, password safety etc.
Unfortunately there is always that one person that opens a suspicious email or shares their password or loses their token or PIV card and they don’t report it. This makes the network vulnerable. I have always believed that end users are a company’s biggest security risk. Allowing end users to access social media, personal email etc can allow for viruses to infect PC’s server’s etc. Once a virus is in the network it will spread like wildfire which will cripple the network. Prevention
We use a lot of tools to constantly monitor the network to prevent DoS attacks, viruses, packet sniffing, phishing etc. We have implemented Websense as a means of policing what websites an end-user can surf to.
We have firewalls in place to prevent end-users as well as outsiders from having access to IP ranges on our network as well as outside the network. We use access list on the routers as another layer of protection. We have penetration testers in our department whose only purpose is to look for packet sniffing and holes in the network.
We have another group that monitor’s suspicious activity on the network such as a spike in bandwidth or an IP that is sending or receiving a large amount of information for specific length of time. Preventing cyber-attacks and security breaches is a never ending battle in network security. Conclusion
Healthcare news states that “…Healthcare is driving the need for network security solutions that can cover multiple types of devices and infrastructure components.” Although we are largely driven by the Federal Communications Commission and HIPPAA my department is constantly implementing new devices and measures to secure the network and protect patient and employee information. This takes constant training and a lot of due diligence to accomplish that goal.
Are mobile devices already making PIV cards obsolete? Retrieved on October 13, 2013 from http://gcn.com/articles/2011/03/11/piv-status-update.aspx PIV Cards are in the hands of most federal employees and contractors, Retrieved on October 13, 2013 from http://gcn.com/articles/2011/03/11/piv-status-update.aspx
Top Five Security Threats in Healthcare, Retrieved on October 14, 2013 from http://www.healthcareitnews.com/news/top-5-security-threats-healthcare