Feds on medical IT networks: Lock 'em down

A threat lurks among the healthcare organization. With more than 13 million personnel calling healthcare their place of business, the portability and remote connectivity of more than 800,000 physicians introduces additional risk into medical IT networks. Failure to implement a robust security program will impact an organization’s capability to protect patients and their medical information from intentional and unintentional loss or damage, according to a bulletin published this month by the National Cybersecurity and Communications Integration Center.

“Technology developers are frequently creating and selling new technologies that change and expedite the way healthcare personnel carry out their mission essential functions,” the bulletin stated. “As a result, healthcare and public health sector owners and operators are consistently challenged to keep up with modern technology.”

From implantable and external medical devices to portable devices, the expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of physicians open up both new opportunities and vulnerabilities to patients and medical facilities.

Make no mistake, the threats are real. According to the bulletin, approximately 64 percent of websites had at least one information leakage vulnerability in 2010. Additionally, the number of targeted phishing attacks rose astronomically during the last quarter of 2010, averaging 70 per day.

Information theft is a large concern. Security attacks can come from all directions from insider information theft to malware or phishing. The report noted that most insiders steal within 30 days of leaving an organization. The bulletin laid out some best practices for implementing a layered security approach, including:

• Purchasing only those networkable medical devices that have well documented and fine-grained security features available, and that the medical IT network engineers can configure safely on their networks.
• Including in purchasing vehicles vendor support for ongoing firmware, patch and antivirus updates where they are a suitable risk mitigation strategy.
• Operating well maintained external facing firewalls, network monitoring techniques, intrusion detection techniques and internal network segmentation, containing the medical devices, to the extent practical.
• Configuring access control lists on these network segments so only positively authorized accounts can access them.
• Establishing strict policies for the connection of any networked devices, particularly wireless devices, to health information network, including laptops, tablets, USB devices, PDAs, and smartphones,  such that no access to networked resources is provided to unsecured and/or unrecognized devices. 
• Establishing policies to maintain, review and audit network configurations as routine activities when the medical IT network is changed. 

Read the bulletin.