The following is my recommendations for a security model for healthcare organizations.
The main goal is to obtain a health information system that is secure, promotes interoperability and is scalable. However, this brings many challenges. For starters, due to the complexity and size, healthcare data is very difficult to process and analyze using common database management tools. As well, to secure a system like this would require strong authentication and authorization protocols to access patient records, as electronic records are much more susceptible to inappropriate access. Below is my proposed framework that includes security protocols and constraints to ensure the confidentiality, integrity, availability and privacy of proprietary medical data. At the core of this model will be authorization and authentication of users, involving different levels of privileges and permissions. Lastly, this framework is designed to be able to safeguard against the popular security attacks/threats occurring in the healthcare industry.
This security model is broken down into physical security, data encryption, user authentication and authorization, application security, certifications and protocols, and data center backups.
Physical Security
The information security team at a hospital not only has to worry about the virtual security of its assets, but also the physical security of them as well. Many of the same attacks that are conducted over the web (brute force, unauthorized access) can happen physically as well. Healthcare facilities, much like others, are susceptible to crimes such as theft, damage, violence, etc. With so much high tech equipment everywhere, no wonder it is such a target. The following is an outline of a physical security program designed to minimize risk and vulnerability. The main goal of this program is to provide obstacles to attackers and to harden the physical site against disasters, attacks and accidents.
The first layer of physical protection that should be implemented in a hospital environment is access control. This can be implemented using access control cards and access codes. With this application, all public-restricted areas will be closed off with a secure door that requires an ID pad to open it. Each authorized employee should be given an ID Badge, consisting of a unique ID number and photograph. As well, each authorized employee should be given a unique access code to enter restricted areas. In short, to gain access, an employee will need to place the ID Badge onto the ID pad and enter their unique access code to enter a public restricted area.
The second layer of protection should be implemented via surveillance. Cameras should be implemented all around the building i.e. all floors and important rooms. A surveillance team should be screened upon hiring and should be present at all hours to monitor the premises. A suggestion would be to use IP cameras. As the healthcare industry continues to grow, it will need technology that will grow with it. The IP camera can be easily scaled and adapted as a customer’s needs change over time.
Notification systems such as fire alarms, smoke detector, motion detectors, and thermometers need to be placed in its appropriate places. For starters, fire alarms need to be placed on every floor within a reasonable amount of distance from employees. Smoke detectors should be placed in areas that are more susceptible to fires. Motion detectors should be used in restricted areas during off hours to ensure no one unauthorized access. Also, thermometers should be used to monitor important equipment that can overheat.
Lastly, disaster plans should be thought out well in advance and practiced by employees of the hospital. Thee include fire drills, lockdowns, and power outages. All “Exit” signs should be clear and illuminated upon loss of power. As well, backup generators should be available on site for continuous functioning of equipment in case of blackouts. Exit strategies should be present next to all stair cases as well. All these protocols and equipment should be tested regularly to ensure proper functioning in case of an emergency.
Encryption
Encryption allows for the secure transfer of data from one point to the other and often requires the uses of keys. Based on my experience in the healthcare field, providers are required to use encryption with important patient information. For this security model I will suggest using the Advanced Encryption Standard (AES) algorithm to encrypt data, which is a symmetric key cipher. The overall process for symmetric key encryption is rather simple. On a high level, after authentication, two users agree to use a common session key to encrypt and decrypt their data. In practice, this session key disguises the data when it is sent the network. This prevents people who are eavesdropping from capturing and successfully reading the data. When the data arrives at its intended receiver, he will be able to read it using his session key..
The AES cipher is the federal government standard as it has proved to be reliable in terms of its security and is cost-free. More specifically the 256-bit AES cipher is known to be so secure that it cannot truly be broken by brute force. Other benefits of this cipher include its faster speed compared to older ciphers. Therefore, to protect the confidentiality of patient data, the health information system will be encrypting all important patient data with the 256-bit AES cipher.
Authorization and Authentication
Often referred to hand in hand, Authorization and Authentication is the basis of both physical and virtual security for health information systems. The basis for this is that only the people who are given access to the information should be able to use it.
In terms of authentication, multi-factor authentication (MFA) should be used in our security model. Multi-factor authentication requires the user to verify their identity in multiple steps before they are granted access. This type of authentication is used with ATM cards and credit cards and is a known to be a reliable method. MFA requires that you input something you have (e.g.. a password) and something you know (e.g.. security question or pin). This type of authentication should be used anytime a user is attempting to access any health information system
In terms of authorization, the Principle of Least Privilege should be followed. This essentially states that only the bare minimum privileges needed to perform your task should be handed out to each user. This type of authorization control, should prevent unauthorized users from making accessing important healthcare data. As well, permissions for these privileges should be dispensed based on role and specialty. For example, surgeons in the cardiac unit should have different privileges and permissions than practitioners in pediatrics.
Application Security
Application Security covers the security of devices or applications within the healthcare system. These devices include mobile phones, monitors, etc. These devices are especially susceptible to harm if they can connect to the internet. If not regulated, these devices can introduce malware into the health information systems. As a measure, all cell phones that are connected to the network should encrypt their data and be configured to be erased, if lost. Secondly, all devices should follow strong password practices. Based on experience, passwords should be greater than seven characters and include numbers and special characters. As well, password changes should be reset every sixty days. Lastly, all operating systems and software should be updated constantly. Routine scans and patches should be conducted as well. This is to minimize vulnerabilities and safeguard against a breach.
Protocols and Certificates
This section will cover how health information should be exchanged from system to system if need be. Although not specified in our prompt, smaller practices usually send orders to remote labs for patients requiring special types of tests. The lab then sends the data back to the practice so that treatment can be prescribed. To do so, the practice would need a secure connection to and from the lab. Therefore, based on my personal experience building interfaces for health practices, all documents and information should be exchanged over SSL, SSH or VPN to external systems and back. Whether the actual information is sent via FTP or web services, connectivity to external systems needs to be secure in order to share information.
SSH stands for Secure Shell and allows for remote access into a different computer. SSL on the other hand, is web-based and uses a certificate system to authenticate and encrypt messages being sent online. Lastly, VPN creates a secure tunnel where information can pass through without the worry of eavesdroppers. Depending on the type of system established, practices should pick one of three methods to secure transfer of documents or messages to external locations. These protocols should protect the integrity of the data that is being exchanged.
Data Center Backup
Regarding backing up data for a hospital environment, I would recommend the use of a data center that is off site. This site should function as a “hot site” and should be a fully equipped data center that can be online with hours. Since this is a small practice, outsourcing to a third party vendor may be the best option as building and maintaining these types of backups can be very expensive. No matter the choice of backup data center, it is important that it is HIPAA Compliant. For instance, since Hospitals accept credit card payments, it must ensure that the storage of data is compliant with the Payment Card Industry Data Security Standard (PCI DSS). This is a standard to increase controls around cardholder data to reduce credit card fraud.
Other important considerations for a backup data center include location, personnel and security. This datacenter needs to be secured by following the protocols outlined above. Moreover, this data center should be placed in an area that is cool and safe as well as free of natural disasters. Lastly, there must be personnel who can upkeep that data center as well as perform regular maintenance. These employees must also be aware of HIPAA compliance requirements as well.