Data protection concerns abound for health care professionals. Getting a sound handle on steps to address these is key, reports Illena Armstrong.Few can argue 2011 has been a banner year for frequent and massive data breaches, and health care organizations have carried their share of the burden.
Compromises encountered by the likes of Sony, Citibank and others may have seen the exposure of between hundreds of thousands to some 100 million critical records. However, various hospitals, insurance and health care providers, clinics and others have experienced a staggering number of data violations. Whether the personally identifiable information (PII) was stored on networks or backup tapes, was lost on mobile devices or mistakenly posted to websites, incidents in the health care space have been common this year.
Yet, breaches are unsurprising to many in the space. At an SC Magazine Health Care Roundtable held late last year, attendees spoke frankly about their challenges. Understanding just how far their confidential data extends, addressing more highly targeted vectors of attack, like mobile devices or cloud computing, ensuring business partners have adequate security, and getting the support they need from equipment vendors whose tools now are networked to wider corporate infrastructures, were only a few worries they voiced.
“The problem is that in health care, all data is sensitive – whether its PII or protected health information,” says Larry Whiteside, CISO of the Visiting Nurse Service of New York, who attended the event, which was sponsored by IT security solutions provider Arcsight, now an HP company.
In reiterating a point he made at the Roundtable, Whiteside adds that keeping track of this data is the most critical duty for health care security pros – and the most confounding.
“All I can say is due diligence,” he explains. “Health care and every other vertical should ensure they are continuing to do the things they know they should in order to protect patients and their electronic information.”
One top concern for Roundtable attendees is insider threats. Not only do they have to worry about the typical security vulnerabilities other types of companies face, like the provisioning (and de-provisioning) of internal applications, or too many shared accounts, but they must also deal with what Roundtable participants referred to as “neighbor snooping.”
To address this problem, some pros who attended the Roundtable are in the midst of rolling out dual-factor authentication solutions. Among other technologies, they're also relying on encryption, security incident and event management (SIEM) solutions, awareness training, and identity management (IDM) to help with end-user provisioning and the deletion of shared accounts.
The problem with many of these solutions, though, is that they are based on policy, says Ryan Kalember, director of product marketing for Arcsight. And this means that organizations have to do some work up front to understand the extent of their user base. For example, with IDM, a company often turns to business units for details about users and what they should have access to, but they don't always know what that should be.
“We've seen that most of our customers who are really serious about user monitoring and need an authoritative source of data turn to [Microsoft's] Active Directory, because the information in there is better than what is in their IDM,” Kalembar says. “So, that's scary.”
The data that business partners have access to only complicates the problem more, says Jon Gossels, president and CEO of consultancy SystemExperts.