Securing a health care platform from the start

By Brian T. Horowitz

Close to 90 percent of health care providers have suffered data breaches in the past two years, and half of them were criminal in nature, according to a May Ponemon Institute report.

To avoid breaches, a health care system must be “tamper-proof” from the start, noted Dr. Mansur Hasib, a cybersecurity leader and author of “Impact of Security Culture on Security Compliance in Healthcare.”

“With hardware and software vendors, tamper proofing is going to be very critical,” Hasib told Power More.

“Right now many of the [medical] devices are not tamper-proof, and that’s where the problem is,” he added, noting that some medical devices such as a pacemaker would require a third-party provider to protect them from being hacked.

Security was a key consideration from the start for companies such as HealthSpot, which has placed telemedicine kiosks in pharmacies and other convenient locations in California, Florida, Minnesota and Ohio. The kiosk incorporates a Dell SonicWALL TZ 215 Series firewall with intrusion protection that encrypts wireless traffic. By encrypting the data and protecting patient privacy, the firewall helps a product comply with the Health Insurance Portability and Accountability Act (HIPAA) by allowing IT managers to set policies on how to access the network. HIPAA compliance requires transparency, policy and administrative safeguards, Hasib said.

The kiosk incorporates common devices doctors use, such as blood pressure cuffs, weight scales and thermometers. To avoid the hacking of personal health data, HealthSpot uses a firewall and encrypts the data from the start rather than relying on a third-party security vendor.

“Putting it in from the get-go was a huge advantage for us,” Eric Eichensehr, HealthSpot CTO, told Power More.

The firewall, which Dell OEM Solutions delivers and supports, provides deep packet inspection inside and outside the LAN as well as application-layer protection, without compromising on network performance.

Software company Orion Health uses SonicWALL content filtering and Deep Packet Inspection to eliminate the need for security from an outside partner and protect its software from viruses and malware. The SonicWALL firewalls and Dell KACE systems-management software secure its desktops and laptops.

“Previously, at our remote offices, if I needed to access a specific service from a specific partner or potential customer, I had to open ports from firewalls all over the world — a security risk,” Brad Clark, systems engineer for Orion Health, said in a case study.

The deep packet inspection ensures that all of the company’s internet traffic — including Secure Sockets Layer (SSL)-encrypted traffic — is being monitored, so it remains protected against viruses and other threats.

Consider privileged account management

Another way to protect sensitive data is by using privileged account management software that companies such as Dell offer with its One Identity software, which allows IT managers to control administrative access using automated policy-based workflows. The software also provides a way to keep an audit trail of access.

When doctors access more than the number of allotted electronic health records (EHRs), administrators could be notified. If a doctor was only permitted to look at one or two EHRs at a time, “the moment they access three or four records, shouldn’t that send a bunch of alarm bells?” Hasib asked.

IT managers can overlay privileged account management software on a health care system to track unreasonable behavior when doctors log in, Hasib said.

“There are rules you can set on what is allowed behavior and what is not allowed behavior,” he explained.

In recent health care data breaches, attackers had acquired elevated privileges to systems and compromised the credentials of users, Healthcare IT News reported.

Financial institutions and auditors also use privileged account management to ensure compliance with Sarbanes-Oxley and to monitor who accesses bank accounts.

Incorporate encryption and vulnerability monitoring

Having an application protected from the start provides the type of vulnerability monitoring needed to protect a platform such as HealthSpot. In addition, storing data in the cloud allows HealthSpot to minimize the surface area for attack, according to Eichensehr.

“So we couldn’t have been out there on day one without something like that protecting us from all the malicious things that can happen on the Internet, because we’re 100 percent dependent on the Internet with our solution,” Eichensehr said.

When designing embedded systems with a communications component, companies should incorporate data-encryption software and anti-malware protection. Products like Dell Data Protection | Encryption (DDP|E) can help organizations such as HealthSpot and FastMed Urgent Care, the sixth-largest urgent care network in the U.S., provide this type of encryption.

Protocols such as OAuth2 can encrypt communications and match a device to the identity of its user, noted Jackson Shaw, a senior director for identity and access product management at Dell Software Group.

OAuth2 authenticates mobile, Web and desktop applications and is designed to work with Hypertext Transfer Protocol (HTTP), which begins all URLs. To enable both security and privacy, embedded devices should include an OpenID Connect certification layer on top of the OAuth protocol.

The protocols can be used when establishing a connection between a device and an (IoT) hardware vendor’s infrastructure. IoT is the growing trend in which machines and sensors communicate with each other over the Internet.

“Any device that requires you to register it with the IoT vendor’s servers could use OAuth2/OpenID Connect,” Shaw told Power More.

Securing systems from the development phase is worth the cost to avoid the impact of intellectual property (IP) loss and brand damage if a data breach occurs, said Michael Cioffi, director of embedded sales engineering at Intel Security.

Although incorporating security from the beginning can’t 100 percent ensure that a data breach won’t occur, it’s a smart policy.

“I highly encourage security and privacy by design from the outset,” Shaw said.

About the Author: Power More