Hospital Security: It's not just technology, stupid

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon
Without procedures and policies focused on how to keep information safe, organizations will never be able to keep up with the mounting number of attacks. That was the main lesson of the final portion of a SCAR U session on Security, presented last week by Barton F. Branstetter, IV, MD, University of Pittsburgh Medical Center, titled Security: Understanding the Big Picture at the Society for Computer Applications in Radiology (SCAR) Annual Meeting in Orlando, Fla.
According to Branstetter, the scope of the security problem is growing by the day as the number of intrusion attempts rises, the complexity of the attempts increases (via polymorphic worms, wireless vulnerability, and trojan horses), and the ability of institutions to defend against attacks decreases.
A major concern for most healthcare organizations is that security is not a priority, partly because security is not emphasized through procedures, but also because regulatory measures such as HIPAA are viewed as a burden despite the fact that the regulations are forcing facilities to reach security goals they should have met many years ago, Branstetter said.
One of the biggest obstacles for hospitals is how to prioritize incoming attacks within the mountain of outgoing and incoming information monitored by most current security software that does not 'prioritize, correlate, and evaluate' threats, said Bransetter.
Branstetter offered a 'Security Pyramid' of the various types of security systems that should be used as a multi-pronged approach to protect institutions from attacks:
  • Static defenses such as firewalls.
  • Analysis tools such as intrusion detection systems (IDS), probes, system integrity verifiers (SIV), log file monitors.
  • Security Event Monitors (SEM) which assemble data and prioritize attacks. These systems are also known as Security Incident Monitors.