Think your networks are secure?

September 9, 2002

Now that security and privacy of patient-specific health information are focal points of hospital administration, a sense of urgency affects recruitment of IT security officers and implementation of new security schemes. Qualified IT security talent

Now that security and privacy of patient-specific health information are focal points of hospital administration, a sense of urgency affects recruitment of IT security officers and implementation of new security schemes.

Qualified IT security talent isn't that easy to find, however. Some security experts believe hospitals are taking huge risks by transferring current IT employees into security roles unprepared and unqualified, said Markus DeShon, Ph.D., of SecureWorks, an Atlanta-based company that designs software to protect corporate networks from hackers.

"One of the biggest mistakes companies make is giving the job of IT security to the system administrator, rather than building a dedicated security team," DeShon said.

He suggests that companies often focus too much on hardware and not enough on the expertise of the people protecting the networks.

As if the Health Insurance Portability and Accountability Act alone weren't enough to sharpen healthcare security concerns, the attacks of Sept. 11 have given the entire U.S. economy cause to reflect on just how vulnerable their networks are to cyber penetration, said Tom Turner, vice president of marketing for OKENA, an intrusion prevention company.

Mere intrusion detection is no longer adequate. Prevention technologies that protect IT systems from inappropriate or malicious behavior represent the next frontier for the security industry.

"The security industry has spent 10 years building hundreds of companies that offer detection," Turner said. "We need prevention, especially in the post-Sept. 11 world. Prevention has to be the security industry's mantra."

Defense in depth is the key to securing digital patient data, according to Turner. It is not just the servers in which the data reside that need securing, but also the desktops and laptops that grant access to this information.

"It is also important to provide security that does not rely solely on user authentication," Turner said. "If these controls are bypassed and administrator privileges are granted, then all the data within the system are at risk."

Security officers need technologies that can define how applications can be used and what they can access in order to provide security for data even if someone achieves administrator privilege.

"We see numerous attacks that are not stopped through traditional means," said Pete Lindstrom, director of security strategies for the Hurwitz Group.

This trend is expected to continue. Seeking a proactive solution to prevent attacks instead of reacting after they hit presents a tremendous cost savings for information security budgets, he said.