By Stacey McDaniel
Electronic medical devices and clinical software applications are being used in healthcare for a variety of purposes, including: increasing the level of care, improving physician productivity, reducing medical errors, and safely sharing patient medical records. Because they depend on an operating system just as any computer does, these devices and applications are also subject to the same threats and vulnerabilities as a computer.
Applying security patches as soon as they are released by a software developer can be overwhelming for any security professional. However, the complexity of the task increases in a healthcare setting because of the variety of devices in use, the regulatory requirements in effect, the nature of critical care, and the large numbers of users sharing access to single devices. In this era of fast-moving Internet threats, employing a random patching approach is not sufficient. Malicious code writers are always finding faster ways to exploit vulnerabilities, which requires security professionals to remain a step ahead of them.
The necessity of patching
The latest trends illustrate the -need for more frequent patching:
- Web application vulnerabilities: Web applications, such as healthcare portals that let patients and/or providers access information, are a convenient way for users to share, create, or modify content through a Web browser. This convenience comes at a price, however, as Web applications are becoming more prone to vulnerabilities. Web application vulnerabilities are particularly worrisome because they can publicly expose Protected Health Information (PHI).
- Bot networks: Bot networks are groups of compromised computers on which attackers have installed software that provides remote control over the computers. Bot networks are often more dangerous to new vulnerabilities than worms, as they don't require an attacker to write code in order to exploit the vulnerability. Unpatched vulnerabilities are one of the most common paths for bot networks to spread onto computer systems.
Solutions that can help
In light of these developments, it is unacceptable for medical devices and other healthcare systems to be left unpatched, yet the available time and budget required to keep patches up-to-date in healthcare are at a minimum. Staying apprised of the latest vulnerabilities can be a full-time job in itself. Several solutions can alert users to new vulnerabilities and threats, prevent attacks from accessing the network, proactively patch systems, and outsource monitoring for healthcare network environments:
- Threat management system and alert services This approach ensures awareness of Internet threats before they can pose a risk to an organization. It also provides timely information about specific threats targeting the healthcare industry.
- Security at the entry points It is essential to provide strong network security at the connection to the Internet and between network segments. For medical devices and clinical applications that are on internal subnets and do not have adequate security protection of their own, entry point protection can provide comprehensive security -- including firewall, intrusion detection and prevention, antivirus, content filtering, anti-spam, and VPN technology. Further, it is important to regularly update all security protection against the latest threats.
- Strong patch management A good patch management program -- while not sufficient as a standalone approach to healthcare security -- should be a part of the security strategy. Such a program can help identify missing patches and then install them on thousands of computers quickly, reducing the cost and time delay of sending IT staff around to each individual computer to apply a patch. The whole process can be automated -- from network scans, to patch deployment, installation validation, and report generation -- and it can be completed -- in minutes, not hours.
- Real-time monitoring Real-time security monitoring and continuous analysis of the state of an organization's security can take the monitoring burden off of IT staff.
Conclusion
The increased emphasis on improving physician productivity, regulatory compliance, and safely sharing patient medical records makes proactive protection and patching of systems critical. Internet threats are moving faster than ever, and can affect an unpatched system within a matter of days. Increased reliance on medical devices, clinical software applications, and computers has brought the healthcare industry to a point where it must be proactive about security threats. Timely patching is critical, and new technologies are available that can monitor computing environments, deploy patches, and send alerts at the first sign of trouble -- making patch management more manageable for a busy IT staff.
Stacey McDaniel has been writing about high-tech issues for more than six years.