3 strategies for strengthening internal data security practices
When it comes to securing a hospital's IT, the focus is on keeping unwanted or unauthorized people out of the system. Strengthening a system to bar access to the wrong people while making it easy for the right ones to get in is always on IT managers' minds. What most people think about in the realm of security is referred to as "perimeter control," or securing a system from outside intruders.
But this is not the only area that needs focus, as there are just as many threats to network security within an organization as there are without. Paul Christman, Vice President, Public Sector Sales and Marketing at Dell, speaks about three key elements of internal controls that help ensure a system's IT is as strong inside a hospital's corridors as it on the outside.
[See also: Data breach leads to $1.7M fine for Alaska DHSS]
1. Two-factor identification. Probably the most familiar to the security-minded, two-factor identification is the next step beyond the traditional system of requiring a username and password for access. "Username/passwords are the foundation for a lot of our internal security, but passwords can get lost, passwords can get hacked," says Christman. Much more secure is coupling the username/password combination with an additional token, like a key card or some other unique device that helps identify a person trying to log on as who they should be. This second factor is only limited by the bounds of an IT department's imagination- and its budget. "It could be a key fob, you see people carrying around little tokens that have random number generators," says Christman. He goes on to describe advances being made to develop "soft tokens," or a strong second factor that can reside on something almost every hospital worker is permanently attached to- a person's mobile device. Two factor identification, while not bulletproof, makes simply cracking a password much less effective. Christman likens the system to an ATM machine, saying that just a PIN or card alone will not grant access – the two are needed in conjunction to make the system work.
2. Identity of a service. Anybody in a healthcare system probably has to deal with more than a handful of passwords. Christman says this horde of passwords is part of the problem. Another problem is keeping track of all of a system's users and the hassles that entails. The solution to this lies in authenticating a user's device to connect to a central server, which then passes on the authentication details to the specific applications that a user is approved to access. "The system understands who I am, the authentication engine passes my credentials on to the software," says Christman. "You can control these credentials from one place and you can shut someone out. You don't have to worry about all of the different places their identity was stored." Authenticating through identity of service also has its added security benefits. "If you just have a username/password to a website, you can share that on a Post-It note," says Christman. "It's horribly insecure." With identity of service, there are no passwords to share. Also, when someone leaves the system or loses a device, removing privileges is as simple as a few clicks.