The health care industry is undergoing rapid technological change thanks to three driving forces: federal regulations,...
end users and vendors. The IT department barely has time to deploy an electronic health record (EHR) system to meet mandates for online medical records before doctors and staff begin to request network access for personal mobile devices. Then there are health IT vendors developing new devices and software that connect to the wireless or wired local area network (LAN) to improve the delivery of health care.
With so much of the organization literally riding on the network, security has become an increasing concern. "It's something that's probably been a long time in the workings," says Russ Gallery, owner of Access Technology Group, a security service provider in the greater Chicago area. "Organizations are being mandated to put everything online, do away with paper and automate processes. This forces organizations to take a hard look at their security posture and the risks that exist on the network."
The view is an alarming one. According to McAfee Inc., there are 55,000 new instances of malware per day. According to Symantec Corp., applications containing malicious code now outnumber legitimate software systems. These threats put sensitive patient data at risk. Attackers sell this data on the black market, or use it themselves to file unlawful medical claims. These threats also put network availability at risk -- an increasingly dangerous proposition as critical medical devices rely upon network connectivity.
The challenge: Limited resources
Simply put, health IT organizations are overwhelmed. "The biggest network security challenge in health care organizations is simply the ability to keep up...with the new technologies introduced by users, new technologies introduced by vendors and, of course, the risks that those technologies introduce to the network," said Jason Rhykerd, consultant with SystemExperts Corp.
Keeping up with new technologies and the threat landscape is certainly a challenge for any company, but it is particularly difficult for health care.
"The most difficult thing medical providers have to deal with is limited resources. They have a limited IT staff, limited IT budget and almost infinite endpoints, number of locations and practices," Gallery said. "Each of these little offices that are spread out from the main hospital doesn't necessarily have an IT staff. The ability to secure the network becomes more difficult. They don't have someone there that's familiar with IT. They can't address issues as they present themselves or proactively manage risk."
This differs from the corporate world with which service providers may already be familiar. "In a corporate enterprise, they've come around to understand that IT apps support the business model. It's easier to perform a cost analysis and say, 'If the network goes down, what does that mean for the business?'" Gallery explained. "The medical profession has been slower to take on technology as [its] foundation, so it's been harder to justify the IT resources to support peripherals. If a doctor's office loses Internet access or Word, [it] can operate as long as [it has] power and the door open."
The results: Abundant vulnerabilities
When resource-strapped IT organizations face increasing demands, something is bound to slip through the cracks. Unfortunately, in this case, that something happens to be network security best practices.
"The basic things are getting missed -- user education, making sure patches are up to date -- because we hear about the advanced persistent threat and things like that. But they're just the same old things with different attack vectors," Rhykerd said.
Health care is also slipping when it comes to network segmentation, system hardening, password best practices, network monitoring and Web application vulnerabilities. Bottom line: health IT organizations are struggling to maintain even baseline security across the IT environment.
When such basic network security controls are missing, the risks introduced by new technologies are compounded. Consider, for example, the risks introduced by mobile device usage. With staff using iPads and Android smartphones to access patient data, it's harder to define the network edge. Protecting data now becomes of paramount concern if efforts in this department were previously lacking. Any vulnerabilities in clinical applications that haven't been previously patched are now also glaring risks.
"Nothing's really all that new. It's coming down to the same thing: People missing patches," said Rhykerd. "I think a lot of health care professionals like to see all this new technology, but the IT department doesn't have the bandwidth to keep up with the implications of these things."
I think a lot of health care professionals like to see all this new technology, but the IT department doesn't have the bandwidth to keep up with the implications of these things.
Jason Rhykerd, consultant, SystemExperts Corp.
Gallery noted that vulnerabilities enter the IT environment when that new technology is installed. Hackers then exploit those vulnerabilities to gain access, he added.
The problem stands to become worse before it gets better. Endpoints will continue to proliferate as the benefits of using mobile devices in health care grow. Unable to patch the systems under their direct control, how will these organizations manage user-owned devices? Meanwhile, the network edge is becoming fuzzier and fuzzier, while sensitive data is more accessible than ever before.
The opportunity: Network security management services
These pain points translate into opportunities for channel companies that can adapt their skill set. The first step to providing value to health care clients is similar to that of any other client, Rhykerd said: "Understand the business that's laid out before you."
He continued: "There is risk in any business and it's important to understand. Whether it's a security solution or new medical device, what is the business benefit you're trying to derive? There is such a thing as acceptable risk, but it's a matter of managing it."
Once you understand the business, you can help translate the benefit of different technologies to the client. You can help them understand the role technology plays in supporting the business and the need to manage the associated risks. This includes evaluating technology and making strategic decisions.
For example, does it make sense to adopt a bring-your-own device policy? If so, what management and security controls are required to support that policy?
Service providers and consultants can also give health IT organizations the visibility needed to understand what's on the network. The Health Insurance Portability and Accountability Act (HIPAA) requires such visibility, but it is also necessary to defend against network threats.
Gallery's company, Access Technology Group, has partnered with security vendor nCircle Network Security Inc. to help provide this visibility. nCircle's PureCloud vulnerability scanner is a small piece of software that sits on a workstation or server and scans a list of sites within the client's IP range. In this manner, Gallery can help his clients gain visibility into remote clinics, for example.
Vulnerability and patch management services offer further opportunities. Service providers and resellers can benefit from offering data encryption solutions that protect sensitive data and help organizations comply with HIPAA data security requirements. Mobile device management solutions and network monitoring services are also viable offerings.
Regardless of how you address the need for network security, resellers and service providers that can help health IT organizations leverage their limited resources, and do so more efficiently with automated processes, will be in a position to grow their businesses, Gallery said.
Even better, he added, your efforts will extend beyond the immediate business, as you help safeguard the public at large. "IT organizations always have to do more with less and, unfortunately, the networks they control are some of the most important in our society."
Crystal Bedell is a technology writer and editor. Her articles, tips and guides help IT professionals evaluate technology, secure and modernize their IT infrastructure, solve business problems, and prepare for IT certification. She can be reached at firstname.lastname@example.org or contact @SearchHealthIT on Twitter.