Segregated healthcare networks rarely work, expert says

There are ways for healthcare organizations to protect the electronic health records (EHR) of their patients. But a segregated network for EHR is generally not one of them, says Martin Fisher, director of information security for Atlanta-based Wellstar Health System.

Fisher disputes a recommendation for segregated networks by Robert Hudock, a lawyer and certified "ethical hacker" cited yesterday in CSO Online's story on the epidemic of healthcare data breaches.

Hudock's first recommendation to protect EHR, made in an interview last May with FierceEMR, is to keep them on a segregated network "if at all possible."

In that interview, Hudock said the Veterans Administration (VA) segregated its EHR after suffering significant infections, and improved its security significantly.

Fisher agreed that a segregated network would be useful for systems like the VA's, but he said that is because they are not integrated. "It's an insurance provider, and it also has a hospital network," he said. "So, you could segregate the insurance from the hospitals."

But, he said, segregation of EHR data simply is not feasible or practical for integrated health systems such as Wellstar, which includes five hospitals, five urgent care centers, 14 satellite diagnostic imaging centers, one adult congregate living facility, one skilled nursing facility, one inpatient hospice and more than 500 primary care providers, specialists and advanced practitioners.

Fisher said he and other infosecurity directors in health care are charged under HIPAA (Health Insurance Portability and Accountability Act) to protect patient data. "We have to put barriers around it, and require things like multi-factor authentication and encryption," he said.

[See related interview: Why healthcare IT security is harder than the rest]

"But I also have to be able to make the information available immediately in an emergency," he said. "A 90-second delay if you're waiting at an ATM for your money is an inconvenience. But if it takes 90 seconds figure out if you're allergic to penicillin, it could be a matter of life and death."

"We're riding a really difficult edge," he said. "We have to enable care providers to provide fast, safe patient care, and I get tired of people who have never done it talking about [segregation] like it's a no-brainer."

The other problem is that segregation in an integrated network becomes almost meaningless because the network is "woven into everything we do," Fisher said. "It would be like segregating 90% from the other 10%. Everything pivots on the EHR."

However, Fisher did say he is making efforts to segregate biomedical equipment from the main network. Barnaby Jack, director of embedded device security at IOActive, famously demonstrated this past October at a conference that due to poor software programming, pacemakers from several manufacturers could be commanded to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away.

"Things like delivery of pharmaceuticals and oxygen, and implanted devices are all fantastic for patient care," Fisher said. "But they are sort of the biomed equivalent of SCADA (Supervisory Control and Data Acquisition). They have a long shelf life and a slow turnaround [for updates]. So we have to assume they are vulnerable, and anywhere a computer is attached to a human, we're doing our best to protect it."

Hudock told CSO Online on Wednesday that he agreed with much of what Fisher said, but he noted that his recommendation was for segregation "if possible," adding: "I don't disagree that EHR needs to be available."

Hudock said segregation may be complicated in some cases but that it does work when properly implemented to safeguard systems. He said if it is not practical, it is important to understand the risks of the EHR systems and the other software that you're purchasing. "Sometimes, you can't patch it."

Fisher agrees purchases are critical. "We are influencing vendors," he said. "Ten years ago, [vendors] were not interested in solving the security problem, because it was not seen as the problem. Now they realize they have to become more operational and more secure."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsWellstar Health Systemdata privacyelectronic health recordssoftwareHealthcarehealth careindustry verticalsdata protection

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts