This is a continuation of an interview with healthcare security expert Mac McMillan, CEO at CynergisTek Inc. Part one of this interview covered ways to comply with all the different healthcare regulations. Here, he discusses operating systems and how vendors should fit into a hospital's overall encryption strategy.
Windows 2000 (and the servers running it) aren't FIPS [Federal Information Processing Standards] 140-2 certified. Is that a problem? Are there a lot of Windows 2000 servers in service that you have seen?
Mac McMillan: [Chuckles] Well, first of all, this is actually a bigger problem than the one you're talking about. Windows 2000 is an unsupported system, meaning it is an obsolete system. So, you have Windows NT, Windows 2000, where soon Windows XP will be an obsolete system as well. Those systems, just by definition, should not be in your environment anymore because they are not supported by the vendors, there are no patches or fixes for them for security problems, and the encryption piece of this is minimal compared to the rest of it.
So first and foremost, we just shouldn't still be using those platforms. However, a large number of organizations still have those systems in their environment, primarily because they are running an application that the vendor has not upgraded to work on a more recent operating system version, or they have a legacy system that they need one of those platforms for. But to be honest, the encryption piece of this is trivial compared to the fact that these platforms are obsolete and unsupported systems, and so by definition are not secure to begin with. And they are never going to meet FIPS 140-2 because the vendors aren't going to do anything to make them that way.
How do you fix that? What are you recommending providers upgrade to?
McMillan: The way you fix that is you upgrade to a current operating system level. Whatever the current version of Windows or Unix is, they need to put processes in place to make sure that their refresh rate is such that they are at least always on supported platforms -- in other words, not on obsolete platforms. What that means is that you can't wait five years to replace a system and of course, this has a financial impact, and that is one of the reasons why we are where we are. They don't just have to upgrade the platform, but also the application, so it's a double whammy.
Some experts estimate a midsize hospital may have up to 3,000 business associates, and some of those BAs subcontract services. How can providers track that their BAs are running HIPAA-grade encryption?
McMillan: The short answer is that they can't, other than to ask those vendors to provide some level of assurance, whether it be something in writing or a third-party assessment, etc. But in terms of making sure that they are running encryption or have encryption enabled in their environment at all times -- there is no way, in real time, to be aware of that.
But [providers] can do a better job of selecting vendors. They can make sure they ask those vendors to answer questions around privacy and security before they select them. During the contracting process, they can request that those vendors provide basic documentation that demonstrates their basic level of compliance and provides proof with respect to their environment.
They can test the transmission of data back and forth between themselves and the vendor to verify that way. They can require the vendor to encrypt the data when they send it so they can verify whether it was or not. But being able to monitor in real time in any specific way is not feasible. But [providers can require vendors], in order to connect to us or in order to transmit data to us, they would have to meet a certain requirement and do it in a certain manner, and by virtue of doing that, enforce that level of encryption in some cases.
Have you heard any clients or anecdotes from HIMSS members that healthcare practitioners are complaining that encryption is slowing their work down (hard to manage, degrades device performance, and so forth)?
McMillan: I hear those comments once in a blue moon, and they are generally out of context. What I find is that those are generally based on suppositions, not real facts. We have lots of hospitals that we work with that have incorporated encryption into their processes, and other than a little bit of screaming and hollering at the front end when the interns were having to learn how to use it, in a very short period of time, once they got used to it, it goes away.
Can it have an impact on production? It can, but in most cases, the impact is so minimal that it is negligible. It's really more [a case of] people pandering to their fears and what they've heard people say, as opposed to real experiences. In most cases, they don't even question it after a breach, and quite frankly, they figure out that they could have done it before and it wasn't really that big of a deal, but it's too late at that point.
Any other advice for CIOs who want to implement an encryption strategy for patient data at rest and in motion? Looking at privacy and security best practices in general?
McMillan: The first piece of advice I have is don't just opt for encryption right out of the box. Take a step back, have somebody help you do it or have your own folks do it, and develop a data protection or encryption strategy. In other words, think through how you are going to manage your data and where that data needs to live, and discern, first of all, 'Do I really need all this encryption, or do I need encryption everywhere in my environment, or are there ways to deliver IT services and information to my user communities without having to encrypt it?'
The first piece of advice I have is don't just opt for encryption right out of the box. Have somebody help you do it … and develop a data protection or encryption strategy.
CEO, CynergisTek Inc.
And there are ways to do that. There are gateways that can allow users to access that data without the data ending up on endpoint devices. There are virtual platforms that I can use for workstations so that I don't have to worry about information ending up there. There are DLP [data loss prevention] solutions that I can deploy that allow me to put rules in place on remote devices that will permit other types of transmission, but will not permit ePHI [electronic protected health information] to be stored there or transmitted there if it's not appropriate.
So, there are other options that I have that better preserve my user environment workflow and my functionality and features of my network, and give me greater flexibility. Granted, those are going to require more thought, resources and investment, but at the end of the day, I think [CIOs] will end up being a lot happier if they take a step back and, one, assess their environment and do all their planning first, then look at all their options with respect to technology that can support or will work with encryption, and lastly, identify areas where encryption is still appropriate or most appropriate and apply it where [they] need it.
Encryption is not a panacea. You never approach any problem of security that there is one way to do it or just one solution. There is always an integrated approach, and usually an integrated approach is the best one at the end of the day.
My second piece of advice is to look carefully at solutions before you buy them. Make sure they have the features and the functionality that are required for you to be compliant. You also need to have your IT organization think 'down the road.' We are fast approaching a world where the network, as we know it today, will no longer be valid. We're not going to talk in terms of network and perimeter, internal vs. external.
The perimeter is becoming a very broad expanse of connections where essentially we have a multitude of ways to connect to our data and to have access to it to do the things we need to do, and it's not going to be the way it is today within a very short period of time. In another couple of years, it will be rare for people to walk in and sit down at a terminal. People are going to be working from some sort of mobile device and will have a docking station at their desk that they'll plug into. We have a much more mobile community and mobile environment today, and I don't think the solutions we're using today and techniques that we've employed in the past will be adequate in the near future.
And it's going to be about the data and controlling access to that information -- focusing on the user, as opposed to the hardware. We're going to have more and more applications stored and provided either via the ASP [application service provider] model or through the cloud. In some cases we're going to have entire infrastructures provided through the cloud, and we're certainly going to have more data stored out there in the cloud. And what I think we're going to end up with is a very, very different IT environment than what we've been used to in the past. Folks need to get in front of that and begin to embrace what that means as it relates to platforms, services, security, privacy and so forth.