A 150-bed hospital once installed a PACS network without correcting several security flaws identified in a threat-detection test. Perhaps not surprisingly, the PACS was penetrated by a virus, which not only took down the imaging department but also the entire hospital's IT network.
Could this happen to your facility? Maybe, but the odds of it occurring are far lower if you conduct regular intrusion-detecting vulnerability tests and audits, according to security industry experts.
Many healthcare facilities, especially those with small IT staffs, don't recognize how easily minor changes can make their network vulnerable to intrusions. And facilities that outsource IT services have no guarantee of the quality of protection being provided. Penetration testing, as intrusion-detection audits are also called, identifies vulnerabilities.
By its very nature, an IT environment is dynamic. The regular addition and removal of users, password changes, computer component swapouts, new software, and new equipment means that regular security checks are advisable. In addition, comprehensive intrusion-detection testing should also be conducted every six months, or sooner if there is a major change on a network, experts recommend. Penetration testing, whether actual or simulated, will not only reveal areas of vulnerability but also will prioritize them.
"What you don't know, you don't know," emphasized Michael McMillan, president and CEO of CynergisTek, an Austin, TX, firm that specializes in providing information security management, regulatory compliance, and IT audit solutions to healthcare organizations. "Each and every change on a network creates an opportunity or a vulnerability. No matter how small, no healthcare IT network is static. No matter how secure an IT professional or team tries to make a network, there is always the potential for error or to overlook something."
Experts recommend that a small hospital or imaging center have both internal and external intrusion-detection testing conducted every six months. Large hospitals and integrated delivery networks (IDNs) may opt for quarterly or monthly tests. End users can purchase vulnerability scanning software, or utilize a security specialist providing the service.
Both internal and external tests can be conducted remotely, McMillan explained. "We mail a 'testing box' to our client that connects to a server or a workstation. This is used to systematically probe each component of the network against the software's library of known vulnerabilities."
As part of its intrusion-detection tests, CynergisTek uses vulnerability scanning software created by Qualys, a Redwood Shores, CA-based company. Qualys claims to have the largest vulnerability database in the industry, currently performs over 6,000 unique checks, and adds an average of 25 newly identified vulnerabilities each week.
"For an external scan, we test every IP address that is publicly available, and look to see if there are any vulnerabilities a hacker could take advantage of or exploit," McMillan said.
Medical device vulnerability
Many diagnostic modalities are inherently insecure, according to McMillan. He attributes this to system design and the platform that the modality runs on, noting that some vendors don't design products with security issues in mind.
"Medical device manufacturers need to pay a lot more attention to security," McMillan emphasized. "They don't think of the ways that a hacker could corrupt data on a device. This is more than an issue of just hacking; this is an issue of patient safety." He strongly recommends that every new medical device added to a network be independently tested for security vulnerabilities.
In McMillan's experience, an average-sized network will generate 1,500 to several thousand vulnerabilities in a baseline assessment. For a standard computer or server running a Microsoft Windows operating system, there may be 200 to 400 settings involved when "hardening" a new "out-of-box" product. It's easy to overlook some when doing the configurations.
Interpreting the reports from a vulnerability scan can be daunting if an IT staff is not familiar with and accustomed to reading the reports. A typical freestanding imaging center doesn't have this expertise, according to McMillan. Additionally, a client may not have the expertise to correct a major problem.
"Unfortunately, we encounter systems on networks to which we cannot add a security patch to counteract identified vulnerabilities, because the patch will interfere with the operation of the system," he noted. "Remote administrative system monitoring can also be a big headache if the vendor providing the service has configured it in an insecure fashion." In these situations, the network is redesigned so that the system is put behind a separate firewall.
Consult with IT staff
McMillan recommends that radiology staff always coordinate the purchase of a RIS, PACS, advanced visualization, or speech recognition system with the organization's chief information officer (CIO) and the IT organization. In the earlier example of a 150-bed hospital, the radiology department purchased and installed the PACS without notifying the IT staff.
When the CIO learned of the installation, CynergisTek was retained to test it. The PACS had not been configured in a secure manner, and the remote administration also proved to be insecure. The system not only created a huge vulnerability in the hospital's network, but the way that it was being administered remotely made it simple to hack, according to McMillan.
Nothing was done about the situation after it was identified, presumably due to lack of radiology department funds and internal hospital politics. Eventually, the PACS was penetrated by a virus and ultimately took down the entire hospital network. All of this could have been avoided prior to the purchase of the PACS if the IT staff had been involved, McMillan observed.
Barrage from Brazil
Wyoming Medical Center, a 209-bed hospital in Casper, WY, utilizes a combination of its own IT staff and CynergisTek to do regular testing, according to Don Claunch, CIO. "When I was hired six years ago, one of my primary objectives was to have an independent perimeter security test done. This provided a baseline for us, and everyone was pleased that there was very little wrong with the security of the network."
Over 100 software applications operate on Wyoming Medical Center's network, and the majority of these are accessible over the Web. "Wyoming is rural, and our physicians represent a geographically dispersed community," Claunch said. "Twice-yearly contracted intrusion-detection systems verify that our network is secured."
The network periodically gets attacked, usually from bizarre places. The hospital identified one repeat attacker from Brazil through an IP address, as well as an overzealous computer programmer working in the training center of a major IT vendor.
Testing results difficult to dispute
IT services and network security are increasingly being outsourced, due to their complexity. Vulnerability testing not only proves the competence of a third party-provider, it also shows due diligence on the part of a healthcare provider.
"Regularly scheduled intrusion-detection reporting is one way that a healthcare organization can show due diligence with respect to [Health Insurance Portability and Accountability Act (HIPAA)] compliance. The healthcare provider is responsible for patient data, not a third-party service provider," said Mike Lloyd, Ph.D., chief scientist at RedSeal Systems in Redwood City, CA. RedSeal designs software used by the healthcare industry to map, measure, and mitigate network security using simulation.
"Even when IT security is outsourced, healthcare organizations are legally responsible for the safety and security of patient data," Lloyd said. "In a risky world, you can't make everything perfectly safe. But if you make a demonstration of due diligence of comprehensive risk and compliance reporting on a regular basis, this will document your efforts."
"The ability of software to identify the most important risks to remediate, and to prioritize them, enables an IT team to systematically determine which issues must be resolved with a specific timetable and budget," according to Lloyd. "A healthcare organization may not have the funds available to correct all security issues, and some security measures can cost more than they are worth."
Software that demonstrates its results in clearly defined visuals can make a convincing argument to hospital executives who may not fully understand the recommendations of IT staff. A vulnerability test is an independent arbitrator.
Stanford Hospital and Clinics in Stanford, CA, purchased RedSeal software in the spring of 2007. "Testing enables us to identify and fix a serious problem very rapidly," said Michael Mucha, information security officer. "It gives us more power to get things done. Its concrete identification of problems, and the level at which the problems exist, enables us to make sensible decisions utilizing the funds we have available, or support our requests for unbudgeted expenses to senior management."
"The software also identifies repeated security vulnerabilities at a low level and enables us to specify regulations and standards for a specific type of equipment," Mucha said. "We can agree upon the level of acceptable security to maintain for anything on the network in a very logical way."
RFP questions about security
Healthcare organizations should include security-related questions in requests for proposal (RFPs) for both medical device and IT systems. How secure is the device or system? How did you test it? Would the network that you are proposing pass a Payment Card Industry (PCI) audit, the standards defined for the credit card industry? Responses to these seemingly simple questions may yield answers that can save a healthcare organization a significant sum of money, according to Lloyd.
In Lloyd's experience, healthcare organizations do not pay enough attention to costs associated with security when evaluating new products. Acceptance testing, particularly of a RIS or a PACS, should include vulnerability and intrusion-detection testing by an independent security expert.
"If a network being proposed for a RIS or PACS can't pass a PCI audit, it's worth asking yourself, 'Should the security of a patient's record be any less robust than the security of a credit card number?' " Lloyd said.
It's definitely worth thinking about.
By Cynthia Keen
AuntMinnie.com staff writer
August 11, 2008
Related Reading
New protocols offer hope for wireless security, June 6, 2005
In depth approach needed for PACS security, January 20, 2005
Security in the wired or wireless world; users are the weakest link, May 24, 2004
Copyright © 2008 AuntMinnie.com