Hospitals track information flow to boost security efforts

As healthcare network security grows trickier with networked medical devices and personal mobile devices, some organizations are going beyond merely trying to control access to patient data, better tracking how information flows.

A talk titled "Data Security in the Cloud: Leveraging the Low-Cost Advantages while Managing Risk" at the iHT2 conference in Boston earlier this month focused on access controls and other ways to improve network security, HealthITSecurity reported.

David Reis, chief information security officer and vice president of IT governance, portfolio management and security at Lahey Health in Burlington, Massachusetts, said his organization no longer trusts everyone inside the network just as it doesn't trust everyone externally.

Though it still uses IT at the perimeter, Reis said that Lahey has found that preventive technology can be untrustworthy when used with encryption. It has adopted strict network access controls and is more focused on knowing about user activity than stopping it.

Not just any device can be plugged into its network, Reis said. the system has to know what device was plugged in, who was associated with it and how long it was connected.

With a robust data exfiltration capability, it can watch where data moves, the devices being plugged in and what users are doing on the network.

John Meyers, assistant professor of medicine and director of technology at Boston University Medical Center, touted research showing how data traffic patterns can help determine whether such activity is friendly. He foresees vendors offering firewall appliances using algorithms to scrutinize traffic patterns.

Cris Ewell, CISO at Seattle Children's Hospital, recently outlined its strict monitoring of personal devices--including knowing what happened to old ones that are lost or replaced.

Poor access controls have been cited in audits of information systems at 10 state Medicaid agencies, at the U.S. Department of Veterans Affairs and at the Indian Health Service (IHS). In a mock cyber attack, penetration testers were able to gain unauthorized access to an IHS web server and to take control of an IHS computer, which allowed access to all of its files.

To learn more:
- read the HealthITSecurity article