Segregated healthcare networks rarely work, expert says

There are ways for healthcare organizations to protect the electronic health records (EHR) of their patients. But a segregated network for EHR is generally not one of them, says Martin Fisher, director of information security for Atlanta-based Wellstar Health System.

Fisher disputes a recommendation for segregated networks by Robert Hudock, a lawyer and certified “ethical hacker” cited yesterday in CSO Online‘s story on the epidemic of healthcare data breaches.

Hudock’s first recommendation to protect EHR, made in an interview last May with FierceEMR, is to keep them on a segregated network “if at all possible.”

In that interview, Hudock said the Veterans Administration (VA) segregated its EHR after suffering significant infections, and improved its security significantly.

Fisher agreed that a segregated network would be useful for systems like the VA’s, but he said that is because they are not integrated. “It’s an insurance provider, and it also has a hospital network,” he said. “So, you could segregate the insurance from the hospitals.”

But, he said, segregation of EHR data simply is not feasible or practical for integrated health systems such as Wellstar, which includes five hospitals, five urgent care centers, 14 satellite diagnostic imaging centers, one adult congregate living facility, one skilled nursing facility, one inpatient hospice and more than 500 primary care providers, specialists and advanced practitioners.

Fisher said he and other infosecurity directors in health care are charged under HIPAA (Health Insurance Portability and Accountability Act) to protect patient data. “We have to put barriers around it, and require things like multi-factor authentication and encryption,” he said.

[See related interview: Why healthcare IT security is harder than the rest]

“But I also have to be able to make the information available immediately in an emergency,” he said. “A 90-second delay if you’re waiting at an ATM for your money is an inconvenience. But if it takes 90 seconds figure out if you’re allergic to penicillin, it could be a matter of life and death.”

“We’re riding a really difficult edge,” he said. “We have to enable care providers to provide fast, safe patient care, and I get tired of people who have never done it talking about [segregation] like it’s a no-brainer.”

The other problem is that segregation in an integrated network  becomes almost meaningless because the network is “woven into everything we do,” Fisher said. “It would be like segregating 90% from the other 10%. Everything pivots on the EHR.”

However, Fisher did say he is making efforts to segregate biomedical equipment from the main network. Barnaby Jack, director of embedded device security at IOActive, famously demonstrated this past October at a conference that due to poor software programming, pacemakers from several manufacturers could be commanded to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away.

“Things like delivery of pharmaceuticals and oxygen, and implanted devices are all fantastic for patient care,” Fisher said. “But they are sort of the biomed equivalent of SCADA (Supervisory Control and Data Acquisition). They have a long shelf life and a slow turnaround [for updates]. So we have to assume they are vulnerable, and anywhere a computer is attached to a human, we’re doing our best to protect it.”

Hudock told CSO Online on Wednesday that he agreed with much of what Fisher said, but he noted that his recommendation was for segregation “if possible,” adding: “I don’t disagree that EHR needs to be available.”

Hudock said segregation may be complicated in some cases but that it does work when properly implemented to safeguard systems. He said if it is not practical, it is important to understand the risks of the EHR systems and the other software that you’re purchasing. “Sometimes, you can’t patch it.”

Fisher agrees purchases are critical. “We are influencing vendors,” he said. “Ten years ago, [vendors] were not interested in solving the security problem, because it was not seen as the problem. Now they realize they have to become more operational and more secure.”