Federal regulations, mobility, and security present challenges to healthcare companies which require secure support from IT professionals. By Scott Braynard, VP of Public Sector, Bomgar
Federal regulations, mobility, and security present challenges to healthcare companies which require secure support from IT professionals.
In the healthcare industry, concerns over protecting sensitive patient data are heightened as organizations introduce more Internet-connected devices and deploy cloud environments to store and manage information. As these devices share more data across networks, IT professionals and medical device designers are faced with the challenge of how to keep this data secure.
Recent high-profile security breaches in the retail, financial, and insurance industries underscore the need for organizations to keep data secure across a wide network of devices and systems accessed by customers, vendors, and remote workers.
Medical devices, especially those that record patient data for remote-monitored outpatient care, must function as designed while adhering to FDA regulations and HIPAA laws governing privacy and security.
The FDA, in particular, has focused on educating and guiding healthcare professionals, including IT staff, as technology disrupts healthcare. The FDA released guidelines on cybersecurity in medical devices last year, yet many healthcare organizations utilizing cutting-edge technology still lack understanding of how to support these devices while also maintaining compliance.
Results from the U.S. Department of Health and Human Services’ 2012 pilot program testing the industry’s compliance with HIPAA’s Privacy Rule, Security Rule, and Breach Rule standards were not encouraging. Most organizations in the pilot program did not conform to HIPAA standards, and two-thirds of organizations failed to perform a comprehensive, accurate security risk assessment. According to the report, the most common cause of non-compliance was organizations were “unaware of the requirement.”
A new round of HIPAA audits is launching later this year, this time covering not just healthcare organizations but also hundreds of business associates. The expanded audits will serve as another test for the healthcare industry and those that do business with it. They also put added pressure on medical device designers and manufacturers, as well as the IT professionals supporting them, to meet compliance standards or face fines.
An area of concern governed by HIPAA that must be considered by medical device vendors and healthcare IT staff is how they’re remotely accessing their technology and devices to perform regular maintenance and support.
IT support via secure remote access
Healthcare IT departments and vendors in the medical industry are faced with assisting an increasingly mobile workforce using a wider array of technology devices including smartphones and tablets to conduct their day-to-day jobs. Unfortunately, to support all of these systems and devices, many healthcare IT organizations are using non-secure remote access tools, one of the top attack pathways used by hackers to gain access to sensitive systems and data.
Many healthcare IT departments are still using legacy remote access tools which use an inbound or peer-to-peer connection that requires a port on the end-user’s system to listen for a connection. These “open” ports can be easily found through a relatively simple scan and then hackers simply guess or use brute force attacks to find the right login credentials. To eliminate these back doors, IT departments need to upgrade to modern remote support solutions that leverage outbound connections to access remote systems and allow them to support all types of devices.
IT should also avoid using tools that give support technicians “all or nothing” access and encourage the sharing of login credentials. A remote support solution should require each technician to use individual logins, and then allow administrators to set granular access permissions at the tech and team levels – from which systems a rep can access, to what time of day, and from which device or network they can provide support.
Finally, a remote access system must capture and audit all activity occurring during support sessions and roll that data up into centralized reports so you can analyze activities and trends. Through monitoring and reporting, you will be able to identify any abnormal remote access activity that may be conducted by a hacker and immediately take action.
This added layer of protection can help organizations comply with HIPAA rules on privacy, security and breaches.
Controlling third-party vendor access
Beyond employees, healthcare organizations must also manage the extensive network of outsiders such as IT services or payroll vendors, among others, that require remote access to parts of the network.
These third-party groups need network access to conduct essential business and IT operations. However, this access should not be as simple as “on” or “off.” To protect against security threats, organizations must be in control of centralized vendor access pathways allowing them to enforce access control policies and monitor and record all third-party activity.
The majority of vendors only need access to a single or very small set of systems on the network. Even within this group, they likely don’t need full-time access to those systems. Again, organizations should utilize a remote support tool that includes permission settings by vendor or team, so they can decide who can access what, and when. When organizations are in control of the remote access tool third-parties are using, they can change permissions or cut off access at any time.
Many organizations grant remote access to numerous vendors, service providers and other external parties without requiring any standardization in terms of tools or solutions. By forcing every vendor to use a single, consolidated, company-owned solution to remotely access the network, organizations can greatly improve their ability to monitor and block unwanted activity.
A final security measure is two-factor authentication. Verizon’s 2013 Data Breach Investigations Report found that more than 75 percent of network intrusions exploited weak or stolen credentials. Because third parties don’t need constant access to an organization’s network, they often use one remote access tool license and share generic logins and passwords across technicians. Not only does this make it easy for hackers to guess login credentials, it also means vendors’ former employees can still often access corporate systems. Just like internal employees, companies should require that every vendor who accesses the network use unique credentials and two-factor authentication.
Overcoming uncertainty
What is the state of security against cybercrime in healthcare? Recently, a professional hacker with Secure Ideas, whose job is to hack networks in order to find and fix flaws in networks and applications, said it is akin to “the Wild West.”
Unfortunately, the threat of a compromise will never go away, but healthcare organizations can protect themselves with tools such as remote support and access solutions that enhance security and improve compliance with federal regulations.
By being vigilant about the issues outlined above, organizations can take back control of their own security and reduce their risk of a data breach.
About the author
Scott Braynard is the VP of Public Sector for Bomgar, a leader in enterprise remote support solutions for easily and securely supporting computing systems and mobile devices.