WHILE THE RECENT widely-publicized crash of thousands of NT-based computers in universities and military bases across the country the night before Bill Gate’s testimony to Congress may have brought chuckles in the anti-Microsoft community, the actual implications of such attacks are no laughing matter in the business world. In banking and insurance, customers could be denied account information for hours; on Wall Street, such an incident could shut down trading activities for an entire day at a high cost to investors and traders alike; and in healthcare, providers and administrators would be unable to access patient insurance or lab tests stored online, delaying timely treatment for sick patients. News that Pentagon computers were hacked in February, allegedly by two bored California high school students, is further evidence that even the DoD is unprepared to fight computer crime.
According to a recent study by the Computer Security Institute, San Francisco, 64 percent of more than 500 organizations reported computer security breaches in the last 12 months--an increase of 16 percent over 1997--and at a loss of $136 million for the roughly 241 respondents that could provide figures. The security problem is likely a great deal worse than any of us have been lead to believe because a large proportion of security crimes are never reported. "Security crime has a stigma right now. It’s sort of like AIDS was 10 or 15 years ago--if you had it you didn’t talk about it," notes Chip Mesec, director of product management at Network Associates, a leading provider of security products and services in Santa Clara, Calif.
While in this industry, the biggest security risks are violations of patient privacy and confidentiality through unauthorized access to patient information, healthcare must also consider the cost of cleaning up after security breaches. Consider a patient lawsuit for one violation: that could run in the neighborhood of several million dollars, not to mention the resulting loss of business if the suit became public.
The exponential growth of the Internet has greatly contributed to the security problem by creating countless new ways for intruders to find a back door into a private network. The number of organizations in the study citing their Internet connection as a frequent point of attack rose from 47 percent in 1997 to 54 percent this year.
Yet viruses may be a bigger problem in the immediate future than random hackers because viruses can easily infiltrate operating systems through email attachments and ActiveX programs or from Web sites, according to Dixie Baker, PhD, chief scientist at SAIC’s center for information security technology, San Diego. "If you’re able to browse the Web you can also very easily, without even intending to, download malicious code that can cause denial of service or corrupt your applications," she says.
Still, evidence continues to mount that careless or disgruntled employees are causing a lot of the damage. Forty-four percent of breaches reported in the study were from unauthorized access by employees, compared with 24 percent from external attacks.
For organizations with an Internet connection, a complete security program will involve more than one product. Anti-virus software, firewalls and encryption are some basic building blocks, but the choices are vast and the technologies complex. Digital envelopes, public key/private key encryption, DES, certificate authorities, virtual private networks, tunneling, biometrics, smart cards--it’s enough to make the non-security expert break down and cry.
So what’s a hassled IS director with little time and no dedicated security staff to do? It may be as simple as attending a one-day security course or doing some research on the topic, says Mesec. "One of the smartest things you can do is do some reading and figure out what you can do cheaply to protect your network," he says. Mesec warns organizations against looking for a "magic bullet" solution to enterprise security. "If they want the most bang for the buck, what I always recommend is that they train their IS staff on security procedures… rather than buying a bunch of products." Simple things like policies for passwords and email can make a big difference in how secure an organization is, he says.
Adds Baker, chief investigator on a SAIC/UCSD security project for Internet access to patient records: "A firewall is only as effective as the security policy it is configured to enforce."
According to Mesec, there are four key components of a security program: "prevention" systems such as firewalls that block outsiders from the internal network; monitoring and detection systems, such as anti-virus software, that alert users or shut systems down in the event of a security problem; response systems, such as disaster recovery; and education.
User-friendly solutions coming…
Network Associates represents a growing trend of companies wanting to provide the whole security shebang through a one-stop shopping suite of products and services. The company has gone through a spate of acquisitions in the last year, including Pretty Good Privacy, Inc., the company that owns the popular PGP encryption, and Trusted Information Systems, a provider of firewalls, encryption key recovery and security training. Other players are Security Dynamics Technologies, Needham, Mass., which owns encryption giant RSA Data Security; and Secure Computing Corp., a consolidator in St. Paul, Minn. Big companies such as IBM, Sun and Cisco Systems also are getting more interested in security: Cisco picked up three security firms through acquisitions in the last year; IBM is making a big push in key recovery and digital certificate services; and Sun markets virtual private network, firewall and IP encryption tools.
What this could mean for buyers is a more integrated suite of products that works together, and eventually, will cost less. Ease of use, installation and configuration are a big focus at Network Associates, notes Mesec, who admits that historically, security firms have relished the complexity of their particular product. "The problem with that model is it does not fit typical IS organizations that are basically in firefighting mode," he says. "It’s got to be intuitive and connect to the systems you have today."
"The biggest problem with security is administration," agrees Craig Heartwell, chief technology officer at Aurora Enterprise Solutions, Reston, Va., a DoD contractor and developer of a Java-based middleware product for security management. "Traditionally, security technology has not been transparent." The company’s goal with its Soteria system is to provide a comprehensive product for encryption, authentication and access control that will "look just like your security policy."
A related trend in security technology is the increased automation of constantly changing requirements such as "need-to-know" access in healthcare. Systems of the future will be smart enough, says Heartwell, to know when rules can be changed in emergency situations or when a specialist is called last minute for review of a patient’s case.
There also are technologies available now that will help IS departments identify and resolve vulnerabilities in the network. One such product, the Netective, detection software from NETECT, Boston, scans information systems for weaknesses, provides IS with alerts about potential problems, and has an update feature that allows NETECT to "push" the latest information on new viruses or security problems into its database. "This software allows non-security professionals to review and assess security leaks," says Adam Shostack, NETECT’s director of technology.
An emerging infrastructure
Ultimately, says Baker, security will become background technology in software and hardware. "It belongs in the infrastructure," she says. She emphasizes the importance of software integrity found in common operating systems like UNIX and NT. "The most fundamental protection is a ’real’ operating system that executes in a hardware domain separate from applications and that provides process isolation."
There are other trends that should pave the way to more easily-deployable security systems. For one, most of the popular Web browsers on the market today already have industry-standard, strong encryption built in. Baker sees promise in the availability of software products that will generate and store encryption keys, and she believes network computers will resolve the security risk with local storage. She also predicts the movement of biometrics into the mainstream: "Fingerprint authentication will be integrated with laptops and PCs."
Still, make no mistake: strong security programs are a blend of both good policy and good technology. Each individual healthcare organization must constantly reevaluate the need for information with the need for security. Says Shostack: "It’s important that you find some balance between ease of access to give your employees the information they need and the privacy of your customers."
Polly Schneider is senior editor at Healthcare Informatics.