IT Challenges in Healthcare

From the Editors of ITSC

This article is the first of two.  Part two, "Healthcare Security Trends," can be found in the Threat Intelligence channel.

The healthcare industry is at an interesting inflection point. Just a few years ago, most health records were still kept on paper, and the industry as a whole was often labeled a technology laggard. However, new medical devices, clinical applications, and inexpensive wireless technology have caused significant changes in the IT landscape. As the ultimate goal of every healthcare provider is to provide quality patient care, systems that keep electronic records and data -- and manage critical aspects of patient care -- must be kept secure. HIPAA has spelled out important security and privacy requirements that provide a strong foundation for a comprehensive, risk-based information security program. Two top security issues are emerging in this new landscape.

Trend #1: The challenge of protecting medical devices and applications

Medical devices and applications are being used in patient care for a variety of purposes, and the capabilities and better quality of patient care are just a couple of benefits of using them. Because these devices and applications depend on an operating system, just as any computer does, they are also subject to the same threats and vulnerabilities as a computer -- including viruses, worms, and other intrusion attempts. Further, many medical devices were not designed to be networked, and therefore doing so has opened them up to being at higher risk. The security of these devices and applications is particularly complicated in the healthcare provider environment.

One common complaint from hospital IT administrators is that they believe they are not permitted to apply operating system patches or even run security software on servers that run medical applications. Some attribute this situation to an impasse that seems to have been reached by the medical community, device manufacturers, and the Food and Drug Administration (FDA). Many IT administrators say medical device makers do not allow them to change the configuration of the systems or to run antivirus software on the devices on their own. As a result, they say they must wait for the manufacturers to provide them with an FDA-approved patch. However, the FDA says it does not need to approve patches, and is hoping medical device makers and healthcare providers can work out their differences to get this issue resolved.

Whatever the cause, this scenario leads to medical devices being left unpatched -- and therefore at risk -- for unacceptably long periods of time. Security experts believe it is only a matter of time before a worm or virus appears, exploiting an unknown vulnerability with no mechanism to fix it.

In addition to staying current on security patches, additional best practices include:

• Turn off and remove unneeded services.
  
  
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  
  
• Enforce a password policy.
  
  
• Isolate infected computers or devices quickly to prevent further compromising your organization.
  
  
• Train employees not to open attachments unless they are expecting them.
  
  
• Ensure that emergency response procedures are in place.
  
  
• Test security to ensure that adequate controls are in place.

Trend #2: Need for efficient backup and disaster-recovery systems

Now that more and more medical devices are networked and patient data is stored electronically, hospitals have become very dependent on IT to provide patient care. As a result, this industry is particularly sensitive to the availability of their systems and data. Should something go wrong or a system fail, especially in a critical care setting, healthcare providers will sometimes opt to keep systems running while trying to sort out the issues. From a security perspective, the typical "best practice" is to close off or shut down the system until the problem is isolated and removed -- but if a patient's life is at stake a healthcare provider may be forced to make a different choice. Many healthcare providers lack a fully developed and tested disaster recovery plan, as well as proper backup and recovery system.

When deciding on a backup/recovery method, look for a solution that works seamlessly and quickly because taking servers down to do backup is costly in terms of human resources, money, and time. Disk-to-disk backup offers distinct advantages over traditional tape-based methods in terms of speed, reliability, and minimal intrusiveness.

In healthcare, there are many kinds of devices connecting to the provider network, and many of those connections are made remotely. The data on these devices needs to be protected from unauthorized access, and there should also be a backup system in place for mobile users. Laptops and other mobile devices are hot targets for thieves, and if a laptop is lost, or the data becomes compromised, a routine backup of the laptop or device's hard drive will save the user a lot of grief down the road.

Conclusion

Behind all of the technological advancements in healthcare, the number one goal of providers remains the same: to ensure the health and security of patients. The use of technology in a healthcare setting can make communication easier, aid the decision-making process, and help achieve a higher quality of patient care. However, all of the benefits of technology are lost if the availability and integrity of the technology and patient data are compromised. We have seen only the beginning of how the trends noted in this article will impact healthcare. This is an industry where advanced technology can have a profound impact on creating a healthier and safer population, and providers must be diligent about applying appropriate safeguards that protect it from unauthorized use, and at the same time assure that it is available to those who need it.