IT Security At HIMSS09

I consider security one of my top concerns, and one of my major strengths. Given the volume of information that my servers hold, any potential breach could pose serious problems. We constantly audit our servers and security logs, use a custom firewall and intrusion detection software and take a "close everything open only what's necessary" approach to security. We also use full hard disk encryption on all laptops. I'm confident our systems are more secure than 99% of hospitals out there.

On a given day my servers detect and thwart a minimum of 5 to 6 all-out brute-force intrusion attempts. Identified attempts are automatically blocked from accessing any services on any of our servers. Our firewall logs and blocks at least 50 networks scans per day.

But, even I know that to assume we'll never suffer an intrusion is arrogant and dangerous. That's why I made it a point to attend the session on HIM breach notification laws. What was surprising to me was how few people attended that session. I guarantee a lot more will attend the session on the Government stimulus bill, but managing and planning for security issues should be even more important.

The new Federal law regarding breach or loss of personal information is likely to be far reaching and complex. Goodness knows, the state regulations already are. Those laws are there to protect the average consumer from stupid network administrators. It certainly won't stop a breach in itself, but it places a large onus on the company to ensure that a breach never occurs.

It's unfortunate that these steps even need to be taken, but when you consider how many millions of people out there have home computers infected with everything under the sun, it's no surprise. The problem is that computer and Internet security is a complex matter. It's nearly impossible to know everything about every way data could be lost or compromised in your facility, especially with as smart and resourceful as the hackers are that want to steal that data from you.

I believe we've reached a point where there should be a "Senior Network Security Officer" in all companies whose job is simply to ensure against security breaches, be it through a lost laptop or an Internet attack or virus. Staying on top of computer security methodologies is in itself a full time job with it's own specialty. That person needs to be well versed in all of the tools of the trade, and have the authority to force employees in the organization to comply. He or she would make certain there's a published security policy, and ensure the organization is trained and following it.

Without that kind of oversight, companies, particularly in Healthcare, may find themselves fined hundreds of thousands or even millions of dollars, not to mention losing credibility with their customers.

Unfortunately in many cases security is delegated to the network administrator, who may even be an outsourced contractor who has little knowledge of advanced anti-intrusion methods.