Security transcends devices and IT

June 3, 2005

Security is not something that you buy and install, according to Dr. Paul Chang, director of radiology informatics at the University of Pittsburgh Medical Center. A proper security model transcends devices and technology. It requires a reengineering of user behavior, attitude, and philosophy.

Security is not something that you buy and install, according to Dr. Paul Chang, director of radiology informatics at the University of Pittsburgh Medical Center. A proper security model transcends devices and technology. It requires a reengineering of user behavior, attitude, and philosophy.

Chang had been introduced at the Society for Computer Applications in Radiology's membership luncheon as the latest SCAR Fellow. He treated students at a SCAR University session to one of his favorite security rants.

"Healthcare users are under the misconception that security is an IT problem," he said.

The Health Insurance Portability and Accountability Act has made security one of healthcare's hottest topics.

"It's one thing to lose a paper chart, but it's another to expose your medical records to the outside world," Chang said.

Attacking a hospital is probably low on a hacker's priority list, he said. The threat is more likely to emanate from inside, from disgruntled or reckless employees, or from physically insecure facilities. Whatever the source, the consequences are significant if security is breached.

Hospitals tend to house data centers and network server closets wherever there is room.

"Is your data center located below the laundry?" Chang said.

He suggested that it takes only one burst pipe to knock the center offline. Peripheral closets that have inadequate air conditioning and ventilation invite overheating and subsequent meltdown.

Securing the network requires more than installation of a firewall, which must continually be evaluated. Firewalls are just computers that need to be updated, he said.

Chang advised aggressively monitoring backdoor access to the network, including such innocuous portals as PACS and scanners.

"Modems are a no-no, and don't let the vendor slip a backdoor in under the guise of service access," Chang said. "Make them go through IT and get a virtual private network account like everyone else."

Users can find security help from Carnegie Mellon's Computer Security Response Team (CERT), or Microsoft's Windows Security Hardening Guide, both accessible online.

Ultimately, however, users are on their own.

"Security requires cultural reengineering of user behavior, and that can be more challenging than the technology itself," Chang said.