Security’s Challenge in the Highly-Regulated Health Care World

Bruce Forman, chief information officer (CIO) at UMass Memorial Medical Center, describes how to balance legitimate data access with security in a highly regulated environment.  

unknown 1
UMass Memorial Medical Center

Bruce Forman, chief information officer (CIO) at UMass Memorial Medical Center, describes how to balance legitimate data access with security in a highly regulated environment.  

Is your organization’s traditional “network perimeter” dissolving? If so, does this affect your approach to security?

 The network perimeter has been dissolving for quite some time, as more and more organizations, including our own, source some of our core applications from application service providers. The perimeter thus has to include entities that are not a core part of the network.

Your approach has to first rely on the security controls maintained by those other entities, to validate that their controls are reasonable. You then need to focus on where the data resides and provide controls that are data centric, rather than network centric. These controls are built into an application and, leveraging user authentication and authorization, give an individual access to a particular set of data so you can control what they can and cannot access.

As a health care provider, we need to provide our partners the information they need to provide a continuum of care while protecting patient privacy and complying with HIPAA requirements. To balance those needs, we try to provide the minimum necessary access using a combination of preventative and detective controls. A preventative control, for example, might specify which patients an outside provider can access data on. A detective control might aggregate all the audit log events, such as who accessed or made a change to a record, actively monitor those actions, and find and investigate anomalies.

How do you track “data sprawl” as a health care organization?

This challenge isn’t completely resolved, but it became much less of a problem last October when we switched to a single application to house most of our medical records. Prior to that, data sprawl was a very large issue. We had concerns about which system was the single source of truth, with different groups accessing the same data from different systems. This would lead to questions about which data is the most up-to-date.  

Have you implemented a people-centered IT security strategy? 

I think of this as role-based access. Based on information about a user, such as job title, we uniquely identify what they should be allowed to access. We then use our monitoring capabilities to find behavior that deviates from the norm.

For example, it might be normal for a scheduler to visit 200 patient records each day. If we saw somebody instead access 2,000 records a day, that would be something to investigate. In addition, you would expect them to make an edit in most of those 200 records as they make or change appointments. A scheduler going in and out of a few records without making a change is understandable, because those patients might not make an appointment during the call. But, again, if the scheduler accessed many, many records without editing any, they might be harvesting information to commit identity theft.

Is data from the Internet of Things (IoT), such as wearables, a security concern for you?

 I’m more concerned about the efficacy of the data than the security. If you come into my office and I take your blood pressure, I know it’s accurate. But if you go to another provider to have your blood pressure taken, or get a reading from a wearable device, I have less assurance of its accuracy. It’s useful, but I need to know where it came from when I make a medical decision.

What other IT security issues are you grappling with?

One of the biggest is around the increasing number of medical devices that are being connected to the network, so information from them can be automatically added to medical records. Since many of these devices were not originally intended to be network attached, the security available on them is not necessarily enterprise grade. It’s a challenge for us to inventory those devices, and then put controls in place to assure the confidentiality and integrity of the data, as well as patient safety.