Security News > 2004 > September > Healthcare CIO gets tough on net policy violators

Healthcare CIO gets tough on net policy violators
2004-09-30 10:25

http://www.computerworld.com/securitytopics/security/story/0,10801,96253,00.html By Bob Brown SEPTEMBER 29, 2004 NETWORK WORLD CareGroup Healthcare System is serious about its security and privacy policies, and those employees and business partners not adhering to them pay a huge price, according to the Boston healthcare organization's CIO. Dr. John Halamka kicked off the HealthSec 2004 Conference & Expo in Boston this week with a keynote address titled: "You're Fired! Security Breaches, Pink Slips and Public 'Executions.' " Halamka has made a name for himself in IT circles partly because of his decision to go public following a network outage at one CareGroup hospital back in November 2002 in an effort to help others avoid similar fates. Halamka shared examples, with names changed to protect the guilty, of CareGroup employees or associates who have been canned for violating security or privacy policies, which they had to agree to upon joining CareGroup or starting to do business with it. One doctor was found to be getting abusive in online chat sessions, a violation confirmed by packet sniff tracing. Another doctor, who wound up leaving before having the chance to get fired, violated policy by peeking into a spouse's psychiatric drug records. "It's important to have sanctions to have a policy that has teeth," said Halamka, who emphasized that CareGroup's termination policies apply equally to everyone from clerks up to head surgeons. One way that CareGroup stresses its policy compliance message is by making public, within the organization, when and why someone is axed for violating policy. If a policy is broken by a business partner employee, that organization needs to discipline its employee or CareGroup will cut off access privileges for the entire organization, said Halamka, who is an emergency doctor in addition to being an IT professional. But in order to fire anyone based on security or privacy policy violations, he said those policies need to be carefully crafted and supported throughout the organization, such as by the human resources department. The need for airtight security and privacy at health-care organizations, especially one the size of CareGroup, is obvious. CareGroup boasts 12,000 employees who serve some 9 million patients. The privately held organization moves some 70TB of data a day over a network infrastructure that includes 15,000 Cisco Systems Inc. equipment ports and 200 servers, mostly Unix. The organization also provides secure Web access to patients, employees and business partners. One huge security and privacy challenge for Halamka is that there are a lot of good medical reasons for doctors and others in a health-care organization to have access to a wide collection of patient and other data. "Every doctor has access to every patient's data," he said. The organization runs audits to keep inappropriate access in check, plus makes employees and patients privy to an audit trail regarding their data in case they have concerns about who is accessing it. To ensure that employees know what they are getting into when they sign a letter confirming that they will comply with the policies, they go through training. Halamka conducts training for medical students and researchers. CareGroup system users are also reminded about training when security keys are renewed at every 50th logon attempt. CareGroup's network security system includes use of username/password, Web surfing control, antivirus software, intrusion detection system products and VPNs. The VPNs are largely for business partners since the technology is a pain to deal with, Halamka said, especially when employees start asking questions about using the VPN from home PCs loaded up with all sorts of programs. CareGroup is strict about which systems are allowed access to its network and won't approve devices until they have the appropriate antivirus and Microsoft patch distribution software installed, Halamka said. One thing that CareGroup keeps a watchful eye out for is rogue WLANs, though the organization is in the midst of making wireless available to all corners of its facilities. The 802.11 net will support not only data transfer, but voice and RFID-based location-tracking applications, Halamka said. CareGroup will look at 802.1x to secure its integrated wired and wireless nets, he said. One ongoing frustration for Halamka is that despite the best efforts of his team to secure CareGroup's network, some vendors still don't understand what customers really need. He recounted having lunch several weeks ago with Microsoft Corp. CEO Steve Ballmer. He told Ballmer that Microsoft should refocus on making its software less feature rich and more secure and reliable. But Ballmer insisted that "customers want these features," according to Halamka. "The folks creating the systems don't get it," Halamka said. _________________________________________ Donate online for the Ron Santo Walk to Cure Diabetes - http://www.c4i.org/ethan.html


News URL

http://www.computerworld.com/securitytopics/security/story/0,10801,96253,00.html