When it comes to securing a hospital's IT, the focus is on keeping unwanted or unauthorized people out of the system. Strengthening a system to bar access to the wrong people while making it easy for the right ones to get in is always on IT managers' minds. What most people think about in the realm of security is referred to as "perimeter control," or securing a system from outside intruders.
But this is not the only area that needs focus, as there are just as many threats to network security within an organization as there are without. Paul Christman, Vice President, Public Sector Sales and Marketing at Dell, speaks about three key elements of internal controls that help ensure a system's IT is as strong inside a hospital's corridors as it on the outside.
[See also: Data breach leads to $1.7M fine for Alaska DHSS]
1. Two-factor identification. Probably the most familiar to the security-minded, two-factor identification is the next step beyond the traditional system of requiring a username and password for access. "Username/passwords are the foundation for a lot of our internal security, but passwords can get lost, passwords can get hacked," says Christman. Much more secure is coupling the username/password combination with an additional token, like a key card or some other unique device that helps identify a person trying to log on as who they should be. This second factor is only limited by the bounds of an IT department's imagination- and its budget. "It could be a key fob, you see people carrying around little tokens that have random number generators," says Christman. He goes on to describe advances being made to develop "soft tokens," or a strong second factor that can reside on something almost every hospital worker is permanently attached to- a person's mobile device. Two factor identification, while not bulletproof, makes simply cracking a password much less effective. Christman likens the system to an ATM machine, saying that just a PIN or card alone will not grant access – the two are needed in conjunction to make the system work.
2. Identity of a service. Anybody in a healthcare system probably has to deal with more than a handful of passwords. Christman says this horde of passwords is part of the problem. Another problem is keeping track of all of a system's users and the hassles that entails. The solution to this lies in authenticating a user's device to connect to a central server, which then passes on the authentication details to the specific applications that a user is approved to access. "The system understands who I am, the authentication engine passes my credentials on to the software," says Christman. "You can control these credentials from one place and you can shut someone out. You don't have to worry about all of the different places their identity was stored." Authenticating through identity of service also has its added security benefits. "If you just have a username/password to a website, you can share that on a Post-It note," says Christman. "It's horribly insecure." With identity of service, there are no passwords to share. Also, when someone leaves the system or loses a device, removing privileges is as simple as a few clicks.
3. Least privileges. Ever want to be king for a day? Turns out that's actually one of the best ways to manage large IT systems where multiple people need administrator access, according to Christman. Networks allow for different levels of permissions, or ability to change and control configurations, with the highest level called root, which is basically "god status," says Christman. "You can do anything you want inside the IT services. You can do all sorts of very very high level things." It's not necessary for most to operate at this level, and as a result they're granted the much more commonplace user-level accounts. When someone needs a higher level of authority, instead of granting them unlimited access, Christman says least privileges allows a manager to "grand the amount of privileges necessary for a person to do their job, no more, no less." With this system, a user can get enhanced privileges for a specified period of time when "everything you do during that time is watched and logged and audited," says Christman. "When you give the keys to the kingdom to someone, you have to know you can get them back."