Firewalls may not protect networks from hackers

By: John C. Hayes

Although most hospital image archives are protected by firewalls, breaking into them from within the hospital is a fairly easy process, according to PACS consultant Herman Oosterwijk.

Hospital data networks often have wall sockets in a variety of locations. Plugging into those sockets may provide access from behind the firewall. It is then simply a matter of getting an IP address and an AE title-the computer equivalent of a phone number and extension-to access the image, Oosterwijk said during a SCAR session on security.

Guessing or even faking the AE title is almost a trivial matter, he said. Once connected, a laptop PC could become the equivalent of a workstation, giving the user wide access to images and other hospital information.

Securing the archive could include closing off access to the network ports. A more sophisticated approach would be to implement data authorization and authentication procedures within the system, Oosterwijk said.

Data security is a growing concern for hospitals and other healthcare facilities, largely because of the requirements of the federal Health Insurance Portability and Accountability Act.

A number of sessions at SCAR addressed security concerns. Oosterwijk discussed the technical and administrative aspects of network security, which he described as 25% technology and 75% procedures.

One strategy for the administrative side is to consider security in terms of zones. A radiology department, the first zone, is fairly easy to secure, requiring simply that access to the department be closed off. But as the zones expand, security becomes increasingly difficult. The fourth zone, networks of networks, is the toughest to secure: How can patient data be secured after it is sent to a referring physician?

Oosterwijk recommended checking the RSNA's Integrating the Healthcare Enterprise project's framework for security. These guidelines are rapidly becoming a standard for security implementation, he said.