Tuesday, December 4, 2012

Crafting the Security Roadmap

Per the theme of security assessment I've been posting about, part of crafting a multi-year security roadmap is examining technologies and practices that have limited use in healthcare but are widely deployed in other industries.

Application Security Testing -  Vendor applications including those with FDA 510k approval may have security vulnerabilities.   Testing third party products with source code analysis tools can find defects that are missed by traditional vulnerability scanning software.   Related to Application testing is third party vendor management.   Testing and verifying the security of cloud hosted service providers and business associates is becoming a best practice.

Data Loss Prevention - Although many healthcare organizations have strict policies on the use of email, social networking, cloud storage, remote access, and mobile devices, it's increasingly import to have technology in place that enforces policies, preventing users from violating policy by sending data to non-secured locations i.e. sending patient information to a referring clinician who uses Gmail.   Many vendors offer appliances that quarantine, notify, restrict, and manage the flow of email containing person identified information/protected healthcare information.    Related to DLP is a strategy to prevent use of unencrypted storage devices - thumb drives, DVDs, CDs etc.

Adaptive Authentication  -  Critical applications, including email, enterprise resource planning , and clinical applications deserve increased authentication rigor.   For example, if a user is not typically outside the US and suddenly logs in from an unexpected location, then the user should be challenged with an additional factor.  Approaches could include a secret question or a one time PIN code sent to a known cell phone.  Such applications can also perform a risk analysis of authentication events to detect anomalies, including authentication events using compromised accounts and suspect IP addresses.

As with other posts on such topics, I look forward to comments about your plans and experiences in these areas.


Medical Quack said...

I just posted today about a company Citrix is buying and looks pretty good from what I read...Zenprise mobile platform management..reminded me of old days of active directory and group policy since I don't do that anymore and never want to be that job again:) It has native user environment interface and nice SharePoint functionality, all encrypted,might be worth a look at it covers all the major mobile devices Ipad, Iphone, Windows Mobile, Android..

Unknown said...

Zenprise and MobileIron are both finalist in my current selection process. MobileIron was the clear winner due to financial stability and install base. Zenprise seemed much more flexible with a significantly lower cost. I was able to point out to the MobileIron rep when he demonstrated the security of their products secure file storage (no files can be forwarded out of the device due to restrictions) that it was bypassed by pushing two buttons on the iPad to take a screenshot... another problem- lockdown of taking screen shots needs to be able to be restricted by foreground application inspection- no by the entire device policy. Think if you locked down a Dr's personal iPad camera or screen capture because he needed to view cardiac images twice a month- not likely.
I joked to the Zenprise rep that Impravata or someone needed to buy them... two weeks later I saw the Citrix announcement. They stepped up a bit in my book now.

Eireann Connolly said...

A good data loss prevention program can also help healthcare organization discover and monitor the location and ownership of sensitive data at rest such as personal health information, PII and even sensitive research IP.

Many of the healthcare organization I work with find that if they start by finding and managing data at rest is a great way to make DLP strategies more effective for data in flight (email, etc). If you can focus on both with approach all the better!