E-News Exclusive

Safely Connect Your Network, Comply With Government Regulations
By Paul Judge, MD

In April, the University of California, Berkeley reported that hackers accessed the Social Security numbers and health-related data of more than 160,000 students who visited the school’s health services center. This type of data breach is a real possibility for healthcare organizations, as medical records are increasingly being targeted for data theft. Major penalties may be at stake if IT professionals can’t ensure health information is secure.

Like most companies, healthcare organizations have come to rely on the Web as both a source of information and a platform for critical applications. Web 2.0 applications, in particular, are taking off as clinicians, administrators, and patients turn to the Internet to access and share information. Unfortunately, while new Web programs bring advantages in terms of ease of use and collaboration, the Web itself isn’t always safe. Cyber criminals continue to find new ways to capitalize on security holes in Web-based applications and steal medical information.

There are several fundamental technology shifts happening on the Web that may present serious threats to healthcare networks and users. Some of the most common security risks associated with Web changes are the following:

• Web growth means traditional security tools are less effective. The Web is growing at the rate of one new domain created each second. Many of these Web sites have become hiding grounds for botnets and rogue software programs. Healthcare organizations often implement traditional URL filters to block users from reaching potentially malicious sites. However, of the 400 million URLs online, only 100 million of those are classified by traditional URL filtering solutions. Cyber criminals are aware of this vulnerability and exploit it to design attacks, which place harmful content on unclassified sites that can bypass network firewalls completely undetected, putting sensitive information at risk.

• Hosted applications could leave data unprotected. Traditional on-site software installed in an organization’s own network is being displaced with browser-based applications that can be accessed from anywhere through the Web. For example, EMR software, popular in small practices with a limited IT infrastructure, may be hosted by the vendor at a site far away from the hospital and is then accessed by health professionals who log on to a Web page. The propagation of these Web-based applications creates new targets for hackers to exploit (as in the case of the University of California, Berkeley), with sensitive data completely exposed.

• User-generated content may be untrustworthy. Millions of consumers post content online. In fact, more than one half of the top 100 Web sites are based on user-generated content, including patient networking sites and feedback forums. But users can’t always be sure of whom they are interacting with online. There is a critical void in online trust when it comes to communication and collaboration.

• Remote Web access isn’t often secured. Smartphones and laptops are used every day by healthcare professionals to access the Web remotely. Although they may connect with the corporate network, these devices are not always protected outside of the healthcare facility. This leaves mobile users and the network vulnerable to a Web-based attack.

With tens of thousands of new malicious URLs generated each day and Web-based attacks constantly evolving, traditional security solutions can’t keep up. Organizations need to be able to identify potentially malicious people, software, and Web site destinations in real time—at the very instance of access before systems or data are compromised. This is especially true for a highly regulated industry such as healthcare, which manages sensitive personal data and faces strict scrutiny and regulations such as HIPAA to ensure privacy for patient information.

To solve this problem, HIT professionals are encouraged to investigate Web security services that include antivirus, antimalware, application control, URL filtering, and policy management in one complete solution. For example, American Health Associates, Inc, a clinical reference laboratory serving physicians, hospitals, home health agencies, and other healthcare organizations, recently set out to bolster its Web defenses. The IT staff needed to set and enforce policies to protect patient and corporate information while employees access the Internet. Now, the organization can protect information from malicious Web applications, enforce corporate policies regarding Web use, and assist in compliance with regulatory requirements for strict control of patient information. The software-as-a-service approach ensures complete security while avoiding the costs associated with deploying and maintaining on-site, licensed security software.

Healthcare is a top priority for millions of Americans, and the safety of using the Web to find, store, and communicate healthcare-related information remains a critical security issue for HIT professionals, who need to do their part to ensure that healthcare professionals and patients can safely use today’s dynamic Web applications without risk of data loss or identity theft.

— Paul Q. Judge, MD, serves as cofounder and chief technology officer for Purewire, Inc.