Every information technology department is tasked, at some level, with watching out for the security of its company's data — including (and especially) that of its clients. But there's probably no other sector out there in which that information comes with the sensitivities and critical importance of the data in the healthcare space.
That being said, healthcare is under fire from data thieves.
Take this statistic from a recent study by Osterman Research: 75% of the healthcare organizations examined experienced a malware infiltration between 2012 and 2013.
So, what are the soft spots that healthcare IT faces, in particular? The answer is: they'll come as a familiar roster to almost any IT professional. But the responses to the threats are more crucial and in need of more flexibility than in many other environments.
The shortlist is as follows:
- Web Security: The impact of legal liabilities and negative publicity upon healthcare organizations and partners is so potentially massive that the 75% infiltration rate Osterman Research discovered suggests that web security is the clear number-one priority. This is a growing concern as the number of apps and deployed systems that handle the increasing flow of personal health information, and other kinds of files, is on the rise in the healthcare space.
- E-mail Breaches: The other vector that healthcare IT faces is that of phishing via e-mail. "We block more than 3,000 phishing attacks per day – and that’s just phishing," Paul Roma, network security administrator for Susquehanna Health, told Osterman. "We have seen several attacks that were specifically targeted toward us as a healthcare organization. Our e-mail filter must have the ability to adjust to new attacks.” Two approaches can help shore up healthcare data security, according to the report: either make e-mail HIPAA-compliant or implement policies to keep all PHI out of email.
- Patient-Device Vulnerabilities: Part of providing an in-patient experience is to connect them to friends and family outside the caregiving facility. In 2014, that means tablets, smartphones, and laptops. But IT needs to address the access that can work both ways in this scenario. "We have a separate connect for our guest Wi-Fi," says Mark Rodge, at Eaton Rapids Medical Center, in the study. "Guest Wi-Fi goes through a separate datacenter. It has its own router, filter, etc. We've configured it as a failover should our primary connection to the Internet go down."
- Social Media and PHI: Two schools of thought exist, among healthcare IT and business leaders: (1.) all social media is a vulnerability and should be blocked; (2.) social media is an important tool for healthcare organizations seeking to communicate their value to the community and clients. Roma split the difference on those approaches by trimming the list of sites to which staff IP addresses could connect, and then restricting social media use to marketing staff within the office.
One of the underlying policy strategies that begins to emerge from the above examples is that an all-or-nothing strategy isn't the only way to approach healthcare-related IT. Put up an all-encompassing firewall, and your department has probably just invited a world of exception requests.
"We were trying to manage our needs via a firewall appliance, but it didn’t integrate with Active Directory," says Shawana Rucker, director of Information Technology at Surgical Specialty Center of Baton Rouge. "It lacked the flexibility we needed."
A blend of steps, including a firewall but then adding a stack to the security layer that allows for a more dynamic management of filters and exceptions is one recommendation that the report supports.
Or, put another way, one constant factor in healthcare is the needs of the humans that plug into it. The IT management of the systems they access has to be airtight against data loss, but it also has to be reactive and capable of allowing people to deliver to other people the best care possible.