For IT security professionals, 2003 promises to be a year filled with old and new challenges. Whether balancing the needs of security with the push for greater access to data, coping with government mandates or planning for possible budget cuts, IT security managers have their hands full.
Frank M Richards is already scrambling to deal with those challenges. As CIO at Geisinger Health System, a health care network in Danville, Pennsylvania, that serves more than 2 million people, he faces an April deadline for compliance with the US federal Health Insurance Portability and Accountability Act (HIPAA). The law will require health care organisations to safeguard patient data from unauthorised access and disclosure.
But HIPAA sets goals without giving specifics on how to get there, so Richards must balance the legal requirements with a demand from health professionals for ease of access — a daunting challenge.
"This can be particularly problematic in the medical field, where care providers are under tremendous time pressures," he says. Understanding workflow, assessing risk and educating users are all key components of a security system that achieves the correct balance between access and control, he says.
Geisinger's Electronic Medical Record (EMR) program focuses on easing access to data. It lets physicians at 50 clinics use mobile devices to order medications, receive alerts, enter patient progress notes and communicate with patients. Another program, MyChart, lets patients access their medical information via the Internet.
Both programs raised security issues. For example, security needs dictated that the database that powers MyChart be installed on hardware separate from the EMR system. Richards' staff is also evaluating biometric and proximity devices as ways to streamline secure network access. And caregivers accessing patient information via the Internet will be required to use token identification in addition to a virtual private network or other encryption method, he says.
Richards says he expects 2003 to be the year when security technologies such as intrusion detection finally begin to deliver on their promises. "Inadequate analysis tools, incompatibility with existing network management software and inability to handle large volumes of data have combined to keep us from deploying these tools until very recently," he says.
Intrusion-detection system functionality will also begin to merge with firewalls in 2003, just as many organisations begin replacing first-generation appliances, according to analyst John Pescatore at Gartner US.
Strive for Better Recognition
This will also be the year when many organisations raise the profile of the IT security function. Geisinger's new security business plan calls for the creation of a chief information security officer position. "This will take the present IT system security officer position and elevate it to a more senior level, and will have it report [to corporate leadership] outside of IT," Richards says.
In Loudoun County, Virginia., the IT department recently hired its first information systems security administrator. Previously, IT security functions were delegated throughout the IT department, says IT director Eugene D Troxell. "This position was recruited and filled at a time when the county government has a hiring freeze in place," which reflects a new understanding by management about the importance of IT security, he says.
At Geisinger, Richards also received support from the board of directors, which issued a statement last spring calling for a "a governance structure that supports the most effective and efficient provision of information security." This doesn't mean that funding is unlimited, but it does ensure that security will be given a higher priority than in years past, he says.
And most IT security budgets are reflecting this new emphasis. IT security's share of the IT budget was 4.3 per cent in 2002 but will rise to 5.4 per cent by 2005, says Pescatore.
Geisinger spends about $US400,000 annually on IT security, including personnel, software and maintenance. Richards says he expects that to increase to about $US600,000 by 2005, excluding any systems or assistance needed to respond to new threats.
But while security is a high priority, funding still doesn't come easily. The IT component of Loudoun County's 2002 annual independent financial audit included network security — another first. Among the audit's recommendations were performing an annual security vulnerability review and enhancing the security awareness program to ensure that all employees understand issues and policies, says Troxell. But in today's economy, funding an IT security program is unlikely because it would take dollars away from projects, such as new schools, roads and health care.
Geisinger has also had its share of economic challenges. Nonetheless, "investment in IT has been supported consistently by senior management and the board of directors," Richards says. "As a 20-year veteran of IT, I can honestly say that security concerns are more a part of people's consciousness than at any time in the past."