“An adequate security model transcends devices and technology and requires a comprehensive policy integrated into user workflow,” Paul Chang, MD, security section head for Society for Imaging Informatics in Medicine (SIIM) and director, division of radiology informatics at University of Pittsburgh Medical Center told an audience yesterday at the Society for Imaging Informatics (SIIM, formerly SCAR) annual meeting in Austin, Texas.
Healthcare is not a high priority target for outside hackers; accidental breaches from within the network and disgruntled employees pose a more significant threat.
Security requires a change in user attitude and philosophy and consists of six components, Chang said.
- Secure the environment by controlling physical access to technology.
- Secure the network by deploying firewalls, encryption-based data transmission strategies such as Virtual Private Network (VPN) and Secure Socket Layer (SSL), maintaining updates and patches and monitoring ports and network traffic.
- Secure the computer with antivirus/spyware software and careful management of public computers and laptops. The laptop, said Chang, is akin to an unfaithful spouse that can transmit viruses.
- Secure the software with audits, patches and updates.
- Secure the data with encryption, disaster recovery and audits.
- Secure the user via authentication. Consider CCOW and biometric authentication. Educate and implement human resources policies.
“Collaboration and communication between IT and users is essential for compliance,” concluded Chang.
NEMA and 21st century security
Nicholas Mankovich, PhD, of the National Electronic Manufacturer Association (NEMA) Security and Privacy Committee, outlined trends impacting security from the medical device standpoint. The increasing use of commercial off-the-shelf software in medical software is vulnerable to threats, and the increasing use of IT in medicine must be balanced by patient privacy and data security legislation, said Mankovich
NEMA is working through consortia and stakeholder groups to address security issues, and committees will establish and communicate best security practices for medical device manufacturers, said Mankovich. Currently, manufacturers are changing product development and organizational structures (remote service and patch validation) and improving internal and external communication to respond to security needs.
Emerging issues in security: the pyramid approach
Security is evolving and growing more complex, Barton Branstetter, MD, associate director of radiology informatics at the University of Pittsburgh Medical Center told the audience. To illustrate the point, Branstetter confirmed that security administrators in vulnerable industries may receive 10 megabytes of data per minute. They can no longer manually sift through the data.
A pyramid approach is advised, said Branstetter. The firewall serves as the supporting structure. Analytic tools such as an intrusion detection system provide the next layer of protection. The top layer – meta-analytic software such as security event monitors and network node validators that help ensure clean client machines – is essential. “Don’t overlook human culture; the hospital must actively emphasize security,” Branstetter concluded.