Segregated healthcare networks rarely work, expert says

There are ways for healthcare organizations to protect the electronic health records (EHR) of their patients. But a segregated network for EHR is generally not one of them, says Martin Fisher, director of information security for Atlanta-based Wellstar Health System.

Fisher disputes a recommendation for segregated networks by Robert Hudock, a lawyer and certified "ethical hacker" cited yesterday in CSO Online's story on the epidemic of healthcare data breaches.

Hudock's first recommendation to protect EHR, made in an interview last May with FierceEMR, is to keep them on a segregated network "if at all possible."

In that interview, Hudock said the Veterans Administration (VA) segregated its EHR after suffering significant infections, and improved its security significantly.

Fisher agreed that a segregated network would be useful for systems like the VA's, but he said that is because they are not integrated. "It's an insurance provider, and it also has a hospital network," he said. "So, you could segregate the insurance from the hospitals."

But, he said, segregation of EHR data simply is not feasible or practical for integrated health systems such as Wellstar, which includes five hospitals, five urgent care centers, 14 satellite diagnostic imaging centers, one adult congregate living facility, one skilled nursing facility, one inpatient hospice and more than 500 primary care providers, specialists and advanced practitioners.

Fisher said he and other infosecurity directors in health care are charged under HIPAA (Health Insurance Portability and Accountability Act) to protect patient data. "We have to put barriers around it, and require things like multi-factor authentication and encryption," he said.

[See related interview: Why healthcare IT security is harder than the rest]

"But I also have to be able to make the information available immediately in an emergency," he said. "A 90-second delay if you're waiting at an ATM for your money is an inconvenience. But if it takes 90 seconds figure out if you're allergic to penicillin, it could be a matter of life and death."

"We're riding a really difficult edge," he said. "We have to enable care providers to provide fast, safe patient care, and I get tired of people who have never done it talking about [segregation] like it's a no-brainer."

The other problem is that segregation in an integrated network becomes almost meaningless because the network is "woven into everything we do," Fisher said. "It would be like segregating 90% from the other 10%. Everything pivots on the EHR."

However, Fisher did say he is making efforts to segregate biomedical equipment from the main network. Barnaby Jack, director of embedded device security at IOActive, famously demonstrated this past October at a conference that due to poor software programming, pacemakers from several manufacturers could be commanded to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away.

"Things like delivery of pharmaceuticals and oxygen, and implanted devices are all fantastic for patient care," Fisher said. "But they are sort of the biomed equivalent of SCADA (Supervisory Control and Data Acquisition). They have a long shelf life and a slow turnaround [for updates]. So we have to assume they are vulnerable, and anywhere a computer is attached to a human, we're doing our best to protect it."

Hudock told CSO Online on Wednesday that he agreed with much of what Fisher said, but he noted that his recommendation was for segregation "if possible," adding: "I don't disagree that EHR needs to be available."

Hudock said segregation may be complicated in some cases but that it does work when properly implemented to safeguard systems. He said if it is not practical, it is important to understand the risks of the EHR systems and the other software that you're purchasing. "Sometimes, you can't patch it."

Fisher agrees purchases are critical. "We are influencing vendors," he said. "Ten years ago, [vendors] were not interested in solving the security problem, because it was not seen as the problem. Now they realize they have to become more operational and more secure."

Read more about data protection in CSOonline's Data Protection section.

Tags: applications, Wellstar Health System, data privacy, health care, Healthcare, software, electronic health records, data protection, industry verticals

Data volumes making security-log centralisation trickier: ManageEngine

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Secure Virtualization of Business Applications

Run your mission-critical applications in a secure and compliant virtual datacenter, or private cloud.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.