Carmine Clementelli Network Security Product Manager PFU Systems

In healthcare, risks to cyber security have never been greater.  As medical records and images are digitized and the internet has become a critical conduit for the healthcare industry, increasing numbers of medical professionals, employees, patients, and visitors often access networks on their personal unsecured mobile devices, rendering network perimeter defenses ineffective.

The 2014 “Fourth Annual Benchmark Study on Patient Privacy and Data Security” from the Ponemon Institute found that cyber attacks that resulted in stolen patient data within U.S. healthcare networks have increased 100 percent from since 2010.

An array of technologies exists to prevent and mitigate cyber attacks, but many of these solutions are complex to install, manage, and maintain. Integrating different tools from multiple vendors is typically a significant challenge due to interoperability complexities. Then, there are inherent weaknesses of passwords that are easy to guess, written down, or shared, coupled with lax enforcement of strict security policies among employees.  The ability of solutions to stay ahead of the latest mobile technologies and vulnerabilities is iffy at best.

Device Proliferation, Bring Your Own Device (BYOD) and Bring Your Own Application (BYOA)

The proliferation of network-connected devices of every kind surrounds us at work and in our homes. Research conducted in 2013 by Frost & Sullivan estimated that there were one billion devices shipped that year and another three billion expected to be purchased through 2016. The company estimates that by 2020 there will be nearly 80 billion connected devices around the world. (source: Frost & Sullivan U.S. Healthcare and Educational Organizations with BYOD Activity – 2011-2018).  When you hear the concept about The “Internet of Things” (IoT), these are devices that can be controlled via smart phones or remote internet connections - including things like your thermostat, a baby monitor, and your houselights.  These, too, can be hacked.

Regularly we hear about the amount of traffic traversing networks, the bandwidth being consumed, and yottabytes (one trillion terabytes) of information being stored. Ubiquitous internet access in our homes, at the office and on the go has raised our expectations and requirements for communications, leisure activities, and work. Those increasing expectations and requirements are behind the push by employees for BYOD and BYOA initiatives.  Securing these devices and applications to protect corporate networks from being exposed to viruses and malware from unsecure hardware devices is an increasingly critical challenge.

Americans are leading proponents of using their personal smartphones, tablets, and PCs for both personal and work activities. Small and medium-sized businesses have led the BYOD trend, with 62 percent of them allowing access to their networks by personal devices, according to Frost & Sullivan. Other organizations either prohibit personal devices, have loose or weak security guidelines, or no formal wireless policies. But among healthcare and educational organizations of all sizes, BYOD adoption in the U.S. has steadily increased since 2011.

BYOA actually predates BYOD. It's the downloading of non-business related applications by employees on either company-issued or personal devices. These applications (e.g., BitTorrent, Facebook, Twitter, YouTube and many other news and entertainment sites) have the potential to create serious security issues and make extensive use of company bandwidth.  During the days of Napster, employee use of workplace network resources to download music and video files also exposed employers to litigation.

Among U.S. healthcare organizations, the Ponemon Institute study found that, “despite the concerns about employee negligence and the use of insecure mobile devices, 88 percent of organizations permit employees and medical staff to use their own mobile devices (such as smart phones or tablets) to connect to their organization’s networks or enterprise systems such as email.” Only 21 percent of these healthcare networks scan BYOD devices prior to connecting and half of all healthcare organizations have little confidence in their current network security solutions.

Attack Trends and Healthcare

Today, we enjoy anytime access to information, news, entertainment, and communications. We want it anywhere a wired or wireless connection is available—from devices at our desks, at home, in the car, in our pockets, on the water, and in-flight.

The negative side of ubiquitous access and the warehousing of huge amounts of personal and business data are now becoming clear. Network breaches that lead to the theft of credit card data from millions of customers at the large U.S. retailers, such as Target and P.F. Chang's, have showed the insecurity of major networks. Security breaches at Experian and eBay left customer data exposed.  Malware attacks (including APTs, computer viruses, worms, Trojan Horses, and botnets) have surged. Security vendor McAfee Labs reported last year that they analyzed 100,000 new malware samples every single day in 2012.

Within organizations, unauthorized access to Wi-Fi and other networks have been attributed to negligent security and a failure to adhere to security policies by employees. This has resulted in everything from theft and data tampering to overuse of bandwidth, all costing organizations in lost business, intellectual property, competitive advantage, customer trust, brand reputation, and even criminal negligence.

U.S. healthcare organizations face the added mandate of protecting the privacy of patient data and the threat of severe penalties based on the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  In spite of this, medical identity theft is growing and accounts for 43 percent of all identity theft reported in the U.S. in 2013, according to a report by the U.S. Department of Health and Human Services.   The agency estimates that since 2009, between 27.8 million and 67.7 million individuals’ medical records have been breached. A 2012 survey by the Healthcare Information and Management Systems Society (HIMSS) further underscores the scope of the problem:  BB of 303 IT and security professionals employed by hospitals and ambulatory care providers, 22 percent reported a security breach in the previous year.

While it seems everyone is most concerned with outside hackers, a majority of network security incidents actually originate within the network firewalls. A 2009 study by the Computer Security Institute (CSI) found that 60 to 80 percent of network attacks and misuse occur from within.  These internal breaches are much more costly to organizations than external ones. The flood of BYOD smartphones, tablets, and network-enabled medical devices in healthcare environments introduces new vulnerable entry points that can exacerbate the incidence of internal breaches. Security experts also cite anecdotal evidence of employees routinely sharing wireless passwords with non-employees and even the posting of passwords on white boards in conference rooms or on Post-It notes beneath a keyboard.

A 2013 study by Forrester Research reported that 78 percent of enterprises in North America and Europe said that updating their security to support mobile access was a critical or high priority; these same organizations were simultaneously and aggressively expanding BYOD and other mobile initiatives.

Wi-Fi Security Requirements in Healthcare: Approaches to Address Threats and Improving Network Service, User Satisfaction

IT must embrace mobility, BYOD and BYOA initiatives within healthcare networks as they reflect the work and lifestyle trends now adopted by millions of healthcare professionals, patients and families, administrators, and others. Wi-Fi is used to support the IoT in healthcare environments like infusion pumps, oxygen monitoring devices, smart beds, and other medical devices Several of the majors are staying far away from WiFi as an interrupt of a fraction of a second can have serious consequences for certain devices such as pumps, surgical lasers, EEG, EKG & other diagnostics… a single missed T-wave where the ventricles should be recovering could incorrectly indicate a chemical imbalance for ex), and applications such as electronic medical records (EMRs) and X-ray and MRI scans. Remote areas now connect with medical specialists through telepresence and other types of video delivered over Wi-Fi.

Organizations throughout the industry have found that installing agent software on every single wireless device and constantly updating that software to accommodate dynamic user populations and policies is an excessively cumbersome and intrusive solution.

Contrast this with an automated, self-provisioning Wi-Fi security solution that resides on an out-of-band instead of inline appliance. It doesn’t use bandwidth or impact network performance. There is no agent software to install on devices or software updates to manage.

For healthcare environments with Wi-Fi networks used by medical staff, patients, and visitors, look for a security solution that meets these requirements:

• Incorporates the best existing security tools all in one solution
• Provides wired and wireless endpoints visibility and access management
• Provides applications visualization and control on application usage
• Is deployed internally and continually monitors the internal network
• Enables easy policy enforcement in an agentless fashion
• Is simple to deploy and manage through automation and self-provisioning
• Works out-of-band and without the overhead of agent software installation on devices
• Is affordable and efficient

Providing security for Wi-Fi networks requires different strategies and solutions as compared to traditional network security that sits at the network perimeter. With Wi-Fi networks there is no longer a network perimeter, so a reliable security solution must be able to continually monitor the Wi-Fi network to see who is on it, when they are connecting, what devices and applications they’re using, how much bandwidth they’re consuming, plus other key metrics.  The right solution will also enforce security policies easily and non-intrusively so that enforcement does not become a burden on end users or IT.

Network heath and security is becoming an intrinsic aspect of great healthcare.  It’s increasingly essential to effective administration, regulatory compliance, employee productivity and morale, and the safety and satisfaction of patients and their families. 

Careful planning and the right solutions can enable organizations to enforce effective solutions without excessive burden, and meaningfully advance quality of care and satisfaction while protecting the organization, its employees and its patients.