Sunday, October 21, 2007

The Top 10 Things a CIO Can Do to Enhance Security

Harvard Medical School networks are attacked every few seconds 24 hours a day, 7 days a week. These attacks come from such diverse locations as Eastern Europe and Eastern Cambridge (MIT students). In general, protecting the privacy of 3 million patient records is a Cold War. Hackers innovate, Information Technology departments protect, Hackers innovate and the process continues. Providing security is a journey and we have been on the path to security best practices for many years. The following is my top 10 recommendations to guide this journey

1. Policies/Governance - Without policies and governance, enforcing security best practices is impossible. Do you allow IM or not? Do you allow modems to be attached to computers without IT approval? Can data be copied onto a thumb drive and transported off site? Such major policy questions must have definitive answers and sanctions for violating these policies must be enforced. BIDMC's current technology policy is found here

2. Risk assessment and stratification - Do you consider the HIV status of patients to be the same security priority as protecting the data integrity of the library catalog? Probably not. We have established 4 classifications of risk:

**** Internet connected clinical data which is patient identified. Compromise of a passwords could lead to access of thousands of patients records
*** Internet connected clinical data which is patient identified. Compromise of a passwords could lead to access to one patient record
** Internet connected clinical data which is not patient identified. Compromise of passwords could lead to access of aggregate data without patient identifiers
* No patient records available

Our journey to enhance security focuses on **** and *** data first. By ensuring our latest technologies and techniques protect our most sensitive data, we apply our people and budgets to the areas of greatest risk.

3. Firewalls - many years ago, we used the "Blanche Dubois" approach to security - a firewall that empowered academic collaboration but relied on the "kindness of strangers". One of our first security enhancements in the 1990's was to replace our permissive firewall (allow anything except where prohibited) with a restrictive firewall (deny everything except were permitted). During this process we eliminated 99% of our publicly available IP addresses, eliminated peer to peer traffic, and created a demilitarized zone (DMZ) for our web servers.

4. Intrusion detection and prevention/Host intrusion protection - recognizing that operating systems are patched continuously and that applications have vulnerabilities, there are attacks that take advantage of the time between a patch being released and a patch being applied. We've employed software that provides "zero day" protection - eliminating the kinds of traffic between servers that are suggestive of attacks or questionable behavior. We do this network wide and on individual servers, especially our web servers.

5. Remote access methods - the security of the network is only as good as its weakest point. Remote access technologies such as SSLVPN, Metaframe, and Remote Desktop via thin client computing devices minimize the threat of viruses from remote access points. Ideally, all computers accessing protected healthcare information should have up to date operating system patches, up to date antivirus software and no software which could compromise the security of the device (i.e. peer to peer file sharing)

6. Network Access Controls - in most institutions, hackers wanting to access a hospital network can walk in the front door, unplug and existing computer and access the network with whatever nefarious devices they choose. Less malevolent is the traveling vendor who plugs a laptop into the network to do a demo, giving viruses and spyware on that laptop full access to the hospital networks. Technologies such as Cisco's Network Admission Control and
Microsoft's Network Access Protection restrict network access to known machines containing the right versions of the right software needed to ensure end to end security.

7. Vulnerability Assessment - Many healthcare applications have vulnerabilities which can lead to inappropriate disclosure of patient data. Typical vulnerabilities include buffer overflows, SQL/Javascript injection attacks, and cross server scripting attacks. Hiring "white hat" hackers to perform penetration testing of mission critical applications, networks, and operating systems helps identify potential problems before security is compromised. Even if vendors do not repair these deficiencies, Host intrustion protection software can mitigate risks by surrounding systems with an extra layer of vigilance, stopping attacks before they start.

8. Provisioning/Authentication/Authorization - Having robust processes to grant passwords only to qualified users, terminate accounts when staff leave the organization and enable only the "minimum need to know" access to clinical data are foundational to good security. When passwords are issued, they should be strong (non-English words, mixed case, numbers and letters, greater than 8 characters long etc.), expire at a reasonable internal (at least yearly), and be role-based. Registration clerks should not be able to access medication lists or psychiatric notes, only those demographic data elements needed to perform their duties.

9. Anti-virus/Anti-Spyware - The design of Windows operating systems, in which all internal "services" run as the administrator, creates a vulnerable environment that necessitates the need for anti-virus and anti-spyware software.

10. Audit trails - Authorized Internal users can be even more of threat than external hackers. Collecting audit trails and implementing a program to monitor accesses is essential. Has one account accessed more than 20 patients a day? Has more patient been examined by more than 20 accounts? Who is accessing employee healthcare records? Who is accessing the record of a famous athlete or actress? Audit trails and tools to mine audit data help answer these questions.

These ten areas are a starter kit to appropriate security in a healthcare organization. Security cannot be an afterthought, it is project that must be resourced. A well trained and staffed security team is essential to success. To keep our organizations secure, I have a full time Security Officer and a team of security professionals maintaining our firewall rules, intrustion detection/prevention software, and our auditing systems. Compliance with HIPAA is a key motivator to implement good security, but most important is retaining the trust of our patients. We are the stewards of their data and our security systems are the last defense against breaches of confidentiality.


Val said...

Thanks for those helpful tips, and welcome to the blogosphere, John. I look forward to learning from you. :)

Val Jones, MD
Senior Medical Director
Revolution Health

JimmytheGeek said...

I agree with most of your post, but I would say I think NAC is comparatively worthless as a technology if it could be described as a technology.

No implementation is more than a speedbump to an attacker, and I don't see much value for legit users compared with the other host-based policy enforcement mechanisms you should already have deployed. See for an authoritative perspective.