ORLANDO, Fla. -- Measuring information security is tricky business. That's why creating a health IT network security policy can seem like an impossibly
Two speakers at the Healthcare Information and Management Systems Society's HIMSS 2011 conference broke down a step-by-step plan to navigate a network security policy. The presenters -- James Tarala, principal consultant for The SANS Institute; and Jennifer Adams, compliance, privacy and security officer at Shared Health, a large Florida commercial health information exchange (HIE) -- discussed the efforts they've made based on the publication, Twenty Critical Controls for Effective Cyber Defense, from the nonprofit Center for Strategic & International Studies (CSIS).
CSIS issued its general guidance for IT managers in all industries to customize their own network security strategies, but Tarala and Adams showed attendees how the 20 best practices can be used specifically to beef up a health care network security policy and comply with the Health Insurance Portability and Accountability Act (HIPAA).
One major frustration about managing network security -- and selling an investment in it to hospital administration -- is that there are few metrics with which to measure success.
"How do we exactly measure information security?" asked Tarala, who added that the best measure of success is the lack of any security event. "Let's say, next year we decide we're going to spend $2 million on our information security budget. … What do we hope happens? Nothing. Our goal is that we spend that $2 million and nothing happens. That's what success means."
This also is the tricky part of convincing managers and determining exactly how much to invest in network security policy, Tarala added. "If we spend $1 million this year and $4 million next year, does that mean it is four times as likely that nothing happens?"
Return on security investment, therefore, can be difficult to prove. Tarala pointed session attendees to The SANS Institute's free resources page for hospital CIOs who want to catch up on network security best practices. In places, the CSIS guidance does offer specific measurements that signal success in enacting one of its controls; those measurements often are based on federal National Institute of Standards and Technology (NIST) prescriptions.
Indentifying key network security controls …
At first glance, the 20 critical controls seem obvious: Know which devices and software are on your network, for example, and maintain access control and administrative privileges. For health care IT leaders, however, who are trying to maintain security while rolling out an electronic health record system -- or expanding an already installed EHR application so doctors and nurses can use it with smartphones, tablets, laptops and other mobile devices -- keeping track of who's on and who's off the network can be anything but simple.
The toughest part of putting a network security policy into practice may very well be getting a handle on the devices on the network.
Tarala pointed out that the CSIS guidance acknowledges that different organizations are at different levels of sophistication in their network security plans. For those just starting to build a comprehensive strategy -- say, to comply with new HIPAA rules or having completed a new risk assessment -- CSIS prioritizes "Quick Win" first measures for each control. These work "without major procedural, architectural or technical changes to [the] environment," CSIS says.
Beyond the quick wins are more sophisticated strategies that involve network monitoring, configuration, and what CSIS terms security hygiene, which it defines as measures taken "to improve the information security stance of an organization by reducing the number and magnitude of potential security vulnerabilities." One strong point of CSIS' security guidance is that these processes should be automated whenever possible, Tarala stressed. The more processes you automate, the more solid your security.
The security guidance stresses, furthermore, that organizations should analyze their risk and shore up the places where they are most vulnerable to attack -- and beyond that, they should secure areas where a successful attack would be most damaging.
Hospitals also should have a game plan for mitigating damage if an attack occurs. To achieve this, CSIS recommends they develop IT leadership that's competent in incident response and understands data recovery techniques.
… And using them to create a network security policy
All that theory might sound good, but what real-world steps can hospital network admins take to put them into practice? Adams outlined the nine specific measures Shared Health has taken to shore up its network security strategy. In all, those measures cover 11 of CSIS's 20 network security controls:
- Create a whitelist of devices allowed on the network.
- Conduct quarterly vulnerability analyses.
- Scan the network daily to detect new devices and software on it.
- Install a program logging tool that notes changes to network devices, such as switches.
- Consolidate network audit logs into one central reporting tool. Establish a "clipping level" -- a threshold of normal network activity -- and send alerts when activity goes above or below that threshold.
- Enhance access control by establishing a policy prohibiting password-sharing and by auditing user accounts quarterly. The purpose of the audits is to confirm that employees are still with the company and to monitor the activity associated with those accounts.
- Subscribe to vulnerabilities listing services to keep abreast of new security threats.
- Create an incident response team, and keep up-to-date a business continuity plan that identifies the time-sensitive applications and processes that would need to be addressed first in the wake of a security incident.
- Train software developers in security best practices to make sure they're aligned with the organization's security practices, as well as to prevent inadvertent security loopholes in their configurations or code.
The toughest part of putting a network security policy into practice may very well be getting a handle on the devices on the network. That might seem to be a no-brainer for networks in other industries, but hospitals are different: Physicians and patients need to access the network with any number of computers, phones and sensors in the course of care; and providing wireless Internet access is a key perk for patients and their families in hospital beds and waiting rooms.
Because of this typically open access, controlling the devices coming onto and leaving a hospital network is much more complicated than just prohibiting every new device until it is properly provisioned by the IT people. The whitelisting strategy, which trips off alarms when a unlisted device gets onto the network, works for Shared Health, Adams said, but it requires bandwidth to maintain.
"You have to be careful that you maintain that whitelist, or you can alert yourself to death," she said.
Let us know what you think about the story; email Don Fluckinger, Features Writer.
This was first published in March 2011