Security may be a boring topic that few in healthcare want to think about, but it's of vital importance to patients. Oh, and real security doesn't just come out of a box. Those were some of the key points of a presentation last week by Paul J. Chang, MD, University of Pittsburgh Medical Center called Introduction to Information System Security at the Society for Computer Applications in Radiology (SCAR) Annual Meeting in Orlando, Fla.
Beyond security being 'boring' with few healthcare professionals excited about it, as Chang indicated jokingly, it is also wrongly thought of as an IT problem or something that comes solely as a technology you can 'buy or install' and be done with it.
One of the major problems with the general perception of security is the means by which facilities are most vulnerable. Sure, there are hackers and they are very dangerous, and though the probability of being attacked by one or more is small, the 'consequences are huge,' said Chang.
Yet, even more likely is that harm will come as a result of an accidental or intentional data leak from internal personnel, or as the result of indirect or collateral damage caused by SPAM or viruses designed to take out big guys like Microsoft but that inadvertently harm a health organization instead.
To counter the security problem, institutions have to consider a major shift in thinking about security, so that there is a culture of security within a healthcare organization with clear procedures that match.
Along those lines, Chang offered a number of ways in which organizations should evaluate their security practices:
- Building a Security Framework - This step should emphasize procedural changes that boost security and also should focus on physically controlling access to data and planning for power outages.
- Securing the Network - Firewalls must be constantly reconfigured, encryption-based data transmission strategies (VPN, SSL) must be used, security-software must be regularly updated, and 'back door' network access must be monitored to secure your network.
- Securing computers - Organizations should mandate the use of anti-virus software with mandatory regular updating, desktops in public areas should be locked down, and organizations should use laptops should especially be monitored for viruses and other harmful software downloaded by users that could harm the network.
- Securing users - All users should be required to have authentication before accessing the network, guest accounts should be banned, administrative rights should not be given to general users, user lists should be audited regularly, users should be trained in security practices, and HR policies should add reinforcement.
- Security for Wireless Technology - A three pronged approach should be used to secure wireless technology, including authentication which should require User IDs with designated rights, and mutual authentication from both ends of the wireless connection with external authentication from a server such as RADIUS or LDAP; encryption must be used to safely encode data; and message integrity can be assured by utilizing software that provides code that evaluates the content of a message for tampering.