Security: physical and environmental security in CIS
Clinical information systems, such as [[EMR|EMR], contain essential information for the practice of modern medical care in the US. As there are many threats to the security of clinical data and personal information, one of our main roles in administering such systems is the protection of that information from abuse. This article page will introduce some of the more common security threats and introductory advice on areas to focus when considering security.
Threat: any ageent that us undesirable effects to CIS security, function, or operability.
Breach: any time any protected health information (PHI) is improperly used or disclosed.
Importance & Benefits
Security measures aid in protection against many threats in health organization. It provides protection of CISs from:
- Disconnection from other computer services.
- Physical hardware destruction/theft
- Data destruction
- Unauthorized data disclosure (local or remote)
- Loss of control over system integrity
Before discussing the means of security, it is worth clarifying the antagonists of such systems so as to paint a clearer picture of the magnitude of work security entails. Security threats are often multivariate in origin, and while many tropes are not inaccurate in computer security, it is valuable to regularly consider where sources of vulnerability may exist within any organization.
Internal actors, regardless of organizational role or heirarchy, are responsible for a significant portion of the security breaches that take place in medical record systems and hospital organizations. While many of these breaches occur due to accidents, nearly half of these breaches occur with malicious intent. Due to the complexity of CIS, access controls are not always clear-cut and even with responsible systems administrators, vulnerabilities may remain. For this reason, it is important to regularly devote attention to the evaluation of the CIS security model and proactively invest in secure-yet-functional security model design. A HIPAA violation is likely to cost a business more, both monetarily and reputationally, than many typical IT departments, and as an unplanned expense. A good security model must be premissive enough to allow employees to do their jobs (get out of the way) and still protect against both unintentional (email phishing, compromised USB drive use) and intentional (inappropriate record access, network connections, backdoors) violations.
External actors are those that immediately spring to mind when anyone considers "hacking" of a computer system, and indeed they are a major source of danger for any internet-connected organization. Risks from external actors can be broadly categorized into physical and remote attacks. Physical attacks involve breaching the physical barriers surrounding a machine or network, allowing a malicious agent to gain direct access to a target system. These attacks are unequivocally the most dangerous and pose the greatest threat to an organization, as they are widely considered to be impossible to protect against with security-based barriers. While encryption serves some use, the security community considers any machine that has been physically exposed to a bad actor for any period of time to be effectively considered compromised. Physical security should never be overlooked in an organization's security model. Finally, supply-chain considerations should not be overlooked when assessing physical security. Technical hardware can be compromised out-of-the-box if an attacker has had access to the manufacturing process, so approach any used or foreign electronics with an abundance of caution before trusting their capabilities.
Remote attacks are those that occour over the network. These are easily defeated by the simplistic practice of never connecting to the internet. Unfortunately, this is not a practicable reality for most CIS implementations, and so more consideration must be given to security. The form of attacks available to a remote actor are as varied as they are complex, and it is widely considered to be impossible to defend against them all. Still, the vast majority of remote attackers are more interested in low-hanging fruit than cracking a tough nut, so there is great benefit to employing some basic network hardening.
Physical and Environmental Security
We can define physical and environmental security as the security measures taken to protect computer systems and employees from real-world threats.
- Protection of computer hardware and network components inside the facility/building from natural hazards such as water damage, fire, and weather.
- Protection from physical attacks such as burglary, data exfiltration, electromagnetic interference, and power disruption.
- Preservation of supporting facilities such as heating, cooling, and telecommunication/external networking.
Basic physical and environmental security examples:
- locked computer/server storage (physical isolation)
- fire/water safeguards
- failover power supply
- local-only management credentialing
The easiest and most well known form of network security is the firewall. A firewall can take many forms, providing security on a spectrum from simple passive filtering of network traffic to extensive packet inspection, filtering, and network masking. Behind any effective firewall is at least one security engineer performing network analysis to detect, investigate, and defend against any abnormal behavior. Breaches are often undiscovered until days, if not weeks or years, after the fact, and the longer it has been the worse the prognosis for the data and systems compromised.
Vulnerabilities of Wireless/Mobile Devices
Access and security of mobile devices is more complex than traditional isolated workstations. Traditional workstations like the office computer may have a variety of physical safeguards such as physical barriers (door and window locks), access restrictions (isolated to certain areas of a building) and monitoring (the use of security cameras and monitoring of environmental factors like temperature or moisture in a given area). Not all of these safeguards may be readily available to ensure the integrity of mobile devices.
Mobile devices must be safeguarded at all times; they are vulnerable at the grocery store, the gym, the home and even the office. More so, mobile devices can be accessed by an unauthorized user and restored to its original state to give the illusion of device integrity. Mobile devices can also be misplaced, lost or physically damaged enough to render them useless. These mishaps however, are superficial as healthcare information and data can still be accessed on a device that is found or only superficially damaged. It’s important to consider sensitive data can exists on devices whether or not the screen lights up.
In addition to the vulnerabilities presented by mobile devices, mobile device software is also vulnerable to exploitation. Mobile devices often have a memory capacity or communicate with “apps.” This demands increased network protection and use of encryption and firewalls as data is often transmitted to offsite storage facilities such as when using the “cloud” or when communicating via the internet or wireless network with software and “apps”. The high production rate of mobile software and technology ensures constant updates and fixes to software issues used on mobile devices. These updates can be downloaded directly from the internet or done through applications themselves. Therefore, mobile devices system and software updates should be verified and applied immediately to ensure the integrity of mobile devices. Out of date software can affect the efficacy of these devices in a healthcare setting.
Summary of Security for Electronic Health Information
Both The Health Information Technology for Economic and Clinical Health (HITECH) Act and the American Recovery and Reinvestment Act of 2009 serve to promote and encourage the use and exchange of electronic health information in the delivery of healthcare. With the encouragement of the Federal Government, health information will be transformed from paper records into electronic medical data.
The use of electronic data transmission via the Internet and through wireless radio transmission (wifi, Bluetooth and etc.) represents another segment of health information within the healthcare environment that must be protected against vulnerabilities. Recent health information breaches include cyber attacks on the private health insurers such as Premera and Anthem. These attacks affected millions of healthcare patients as well as providers. The extent of the data stolen includes, treatment history, patient demographic information and patient financial information.
In order to safely guard against threats to electronic medical information, several security measures should be taken:
- Encrypt all electronic information and data for both senders and receivers
- Encrypt all information stored on devices that access health information
- Use multiple layers of user authentication in different settings
* A single authentication factor such as a password may suffice for on-site data access * Dual or multiple authentication factors should be used for off-site data access
- Access to information should be partitioned and granted to users only on a need to know basis
- Maintain firewalls and continuously monitor network access and intrusion
- Train employees on the consequences of non-adherence to security practices
- Configure mobile devices to be remotely wiped if lost or stolen
- Configure mobile device geo tracking to monitor lost or stolen devices
- Keep software up-to-date
- Stay up to date on firmware for operational devices and hardware
* Install certified and/or approved patches in a timely manner * Encourage vendor support of security protocols and updates
- Do not download or use mobile applications or non approved software
- Establish and strictly adhere to internal security protocols
- S.K.PARMAR, Cst N.Cowichan Duncan RCMP Det 060 Canada Ave., Duncan, BC”INFORMATION RESOURCE GUIDE Computer, Internet and Network Systems Security”, 2000.
- Taitsman, Julie K., Christi Macrina Grimm, and Shantanu Agrawal. "Protecting Patient Privacy and Data Security." New England Journal of Medicine. New England Journal of Medicine, 14 Mar. 2013. Web. 24 Apr. 2015. <http://www.nejm.org/doi/full/10.1056/NEJMp1215258>.
- Levinson, Daniel. "Audit of information technology security included in health information technology standards." Office of Inspector General, Office of Audit Services. May 2011 (https://oig.hhs.gov/oas/reports/other/180930160.pdf). Web. 24 Apr. 2015.
- Bajwa, Mohammad. “mHealth Security.” Pakistan Journal of Medical Sciences 30.4 (2014): 904–907. Print.
- Wang CJ, Huang DJ. The HIPAA Conundrum in the Era of Mobile Health and Communications. JAMA. 2013 Sep 18;310(11):1121–2.
- Filkins BL, Kim JY, Roberts B, Armstrong W, Miller MA, Hultner ML, et al. Privacy and security in the era of digital health: what should translational researchers know and do about it? Am J Transl Res. 2016 Mar 15;8(3):1560–80.
- Cohen IG, Mello MM. HIPAA and Protecting Health Information in the 21st Century. JAMA. 2018 Jul 17;320(3):231–2.
- Fernández-Alemán JL, Señor IC, Lozoya PÁO, Toval A. Security and privacy in electronic health records: A systematic literature review. Journal of Biomedical Informatics. 2013 Jun;46(3):541–62.
Submitted by (Adham Emam) Submitted by (Kenneth Dunham) Submitted by (Samuel Roberts)