Health IT Summit: Trust matters with privacy and security
BOSTON—Sometimes the best advice is to trust no one, or no device.“We don’t trust devices or users, and the internal network is considered untrusted,” said David Reis, vice president of IT governance, portfolio management and security at Lahey Hospital & Medical Center, discussing privacy and security during a panel session at the iHT2 Health IT Summit.
The approach Lahey has taken is rigorous access control, which allows the hospital to know what device gets plugged in, who plugs the device in and for what documents.
“We use data exfiltration so we can watch data flows,” he said. “When you look at it, you can see where data are moving and what users are doing.”
Citing National Security Agency whistleblower Edward Snowden’s unfettered access to documents, John Meyers, PhD, assistant professor of medicine and director of technology in the department of medicine at Boston University Medical Center, said more efforts are underway at establishing policies that control data at the source.
This entails data tracking. “Just by looking at traffic patterns, you can see how friendly or unfriendly the data flow is.” Any data flow that is suspicious immediately gets tagged for review.
To ensure privacy and security, providers must formulate an appropriate policy that details granular level access and control for each user, said Julian Lovelock, senior director of product marketing, at HID Global.
Also, to prevent a large breach, Meyers advised creating structures that do not allow users to download data in bulk. If they require large datasets for research, he suggested letting them open a file but not download the information on their device.
“I strongly believe in limiting people’s access to bulk information so it can’t be downloaded and copied,” Meyers said. “They can do analytics, but can’t do it in their own computing environment and definitely not in the cloud.”
The issue of trust is the first consideration when choosing a cloud vendor.
“You have to ask if you trust the vendor and its employees and question whether there is back door access for the vendor,” said Lovelock, suggesting that providers put prospective vendors through standardized assessments to measure trustworthiness.
Providers must be realistic when it comes to understanding security risks with cloud providers, said Cameron Camp, security researcher at ESET. ”Cloud vendors have different business priorities than you, so matching that with reality is important. You have to be honest with where your starting point really is,” he said.
Business associate agreements (BAAs) also play a role in forming trust. “We blocked Dropbox because they won’t sign a BAA,” said Reis. When establishing a BAA with Microsoft, it was an iterative process, but many cloud providers have a take-it-or-leave-it approach to BAAs.
Looking to the future, Loveback said is he concerned about the proliferation of phishing attacks that are targeting users while appearing to come from a cloud provider. “People already log into multiple portals. It’s a very strong use case for centralizing authentication.”
Affordability also presents a problem for many providers wishing to move to the cloud. Monthly subscription rates can add up, and it isn’t something an organization can own and capitalize on. Also, he noted that many cloud providers try to cap liability costs in case of a costly privacy and security leak.
But, Camp said while three to five years ago it was like the Wild West with the proliferation of new cloud services, overall now “there is a higher level of trust.”