Related Items
I.T. Threats: Obvious, Unknown or Hyped?
May 2007
A couple of years ago, a computer worm called the SQL Slammer was making the rounds through information networks in multiple industries. The worm earned its moniker by proliferating through systems running on Microsoft Corp.'s SQL Server technology.
In some provider organizations, the worm found its way into information networks through computers embedded in medication cabinets, recalls John Smaling, principal at Vitalize Consulting Solutions Inc. of Kennett Square, Pa. "Information technology staff had no idea these cabinets had intelligence in them and were running on SQL servers."
Years after the compliance date of the HIPAA privacy and security rules, many health care organizations are well aware of common threats to health information and best security practices. But threats remain that are not widely appreciated or understood.
For instance, I.T. staff members are not always aware of all software purchases being made by a hospital. The I.T. pros understand the security ramifications of a department buying an ancillary information system on its own, but departmental personnel may not.
"Most security issues have to do with things the I.T. department doesn't know about," Smaling contends. "Unless I.T. is involved in the procurement process, computers will unknowingly enter the organization and fall under the security radar."
Other security threats that are out in the open and well understood nevertheless remain unappreciated by large segments of the health care industry. For example, less than 20% of hospitals encrypt their laptops and backup tapes, estimates Mac McMillan, CEO of CynergisTek Inc., an Austin, Texas-based security firm.
And there are some threats that may be seen as more hype than real because they aren't regularly being encountered. But the hype surrounding such issues as compliance with the Sarbanes-Oxley Act and provider or patient identity theft could be preemptive warning shots of problems to come. "I'm a security hawk, so the more attention to increasing security the better," says Randy Gainer, a partner in the Seattle office of law firm Davis Wright Tremaine LLP. "I don't agree that there is hype. There's a lot of attention to security and there should be."
Unappreciated security threats in health care organizations aren't hard to find, says Ron Strachan, vice president and CIO at HealthEast Care System, a St. Paul, Minn.-based delivery system. "The basics are being taken for granted."
Health care I.T. vendors, for instance, "clearly haven't made security a high priority," he contends. "When we do a security audit of an application, we're not finding three or four items, but 15 to 20."
When confronted, vendors respond "reasonably well" to fix security weaknesses, Strachan says. "But vendors still are not proactively looking for threats that we can see, and if they are, they're not doing as much as they need to be."
Ironically, he adds, the problem is most prevalent with the industry's largest vendors, which have the most resources to deal with security.
HealthEast in recent years has increased its frequency of security audits, Strachan says. Still, he fears that while many providers are adequately strengthening their firewalls and perimeters, they are not shoring up defenses at the application level because of "blind trust" that the vendors have implemented adequate security.
But vendors often don't do their own security tests before distributing software to clients, adds Kristi Reese, senior security analyst at HealthEast.
Shining a light
I.T. Spotlights
- About Us
- Advertising/Media Kit
- Reprints
- Editorial Calendar
- Contact Us
- Customer Service
- Privacy Statement
©2008 HealthDataManagement and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.
