Servers in Health Care
The server healthcare industry has benefited from the breakneck pace of digitization -spanning everything from payments to patient records to X-ray film- but it has also been increasingly exposed to greater risk. Efforts to increase healthcare provider productivity via increased digitization and system interconnectivity have to be counterbalanced against the growing concerns for patient privacy and a backdrop of increasing liability.
In the wake of these concerns, a number of regulations have emerged for IT professionals in the healthcare industry to navigate. Beyond the standard set of IT security concerns that most IT departments must confront, many of the systems utilized in healthcare not only require special vulnerability management efforts but also fall under the auspices of the US Food and Drug Administration (FDA), which complicates things further. Another pain point specific to the industry is the proliferation of embedded systems or medical devices that operate with their own unique set of security challenges.
To manage these challenges, IT professionals in the healthcare industry turn to the typical array of security solutions used by their counterparts across other industries. Network intrusion prevention systems (IPS) are utilized to segment and defend the network. Patch management tools are used to quickly roll out security patches. Unfortunately, perimeter-oriented network IPS require ongoing operational resources, from constant tuning to the management of “noise” due to false alarms. Security patches may mitigate vulnerabilities but are resource intensive to install, require time to test and validate, and may introduce new risks and problems.
Blue Lane’s patch protection gateway, PatchPoint™, provides inline vulnerability remediation for server operating systems, databases, enterprise applications and medical devices, offering instant application protection with zero footprint, zero downtime, and zero tuning. PatchPoint utilizes inline patches that are functionally equivalent to software security patches. An inline patch mimics the corrective action of the security patch for network-accessible vulnerabilities, no matter how complex, to address the vulnerability at the root cause.
Regulatory Compliance
Unlike other industries that may experience inconveniences or financial losses that stem from security events, healthcare organizations in the United States are directed by several federal initiatives that mandate the implementation of rigorous security and privacy controls. The most widely publicized initiative of recent years is the Health Insurance Portability and Accountability Act (HIPAA). If the healthcare organization also happens to be a public company then additional efforts must be devoted to IT security in order to achieve Sarbanes-Oxley (SOX) compliance. Additionally, the Food and Drug Administration and its policies also require the attention of IT professionals because usage (and security) of most medical devices falls under the guidance of the FDA. Below is a brief synopsis of each initiative and its impact on healthcare providers:
- HIPAA is perhaps the most widely recognized regulation that directly impacts healthcare providers. The standards are meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the use of electronic data interchange in the US health care system. There are two sets of standards stemming from HIPAA: Privacy standards that seek to protect patient data from improper disclosure or use and security standards that safeguard patient data from unauthorized access. The security portion is further subdivided into three safeguard standards: administrative, technical and physical. Among the key applicable HIPAA standards that pertain to the patching challenges mentioned above, organizations must:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- Implement policies and procedures to protect electronic protected health information from improper alteration or destruction; and
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- SOX (specifically Section 404) requires that public companies have “adequate internal controls” and that the controls be well documented. These requirements refer to business continuity planning and risk mitigation. Although the regulations do not specifically require the installation of patches or reasonable steps toward vulnerability mitigation, they are designed to ensure that reasonable steps are taken to mitigate risk, measure these efforts over time and document procedures.
