Network Security Check-Up for Health Care Networks

Health care providers are an interesting situation with regard to network security.  Like many industries, they’re dealing with rapid technological change in the face of a variety of regulations – in the U.S. health care industry it’s HIPAA and HITECH, and PCI – focused on the portability, security and privacy of PHI and the security of patients’ credit card data, respectively.

At the same time, their users are adopting many of the same high-risk, high-reward applications that users in other industries are adopting.  The problem, as in most industries, is the high-risk, low-reward applications that so many health care employees use in addition to useful Internet-hosted applications.

Recently, I had a chance to talk to a group of folks in health care – specifically folks concerned with network security.  So I took a look at a cut of our Application Usage and Risk Report data that included only health care organizations.  I looked at actual application traffic across 118 different health care organizations.  What I found was that despite regulations and privacy concerns, the application mix looked very similar to the mix that we see across all organizations.  There were, however, a couple of differences.

Webmail, Instant Messaging,, and Social Networking
Health care users are good at staying in touch – perhaps a bit better than average.  Webmail applications were found in every one of the 118 health care organizations I looked at, with Gmail, Hotmail, and Yahoo Mail topping the list.  IM was only slightly less penetrated, with Yahoo, Google, and Facebook applications topping the list of chat applications.  Finally, social networking applications are slightly better penetrated in health care organizations than the norm – with Facebook, and Twitter at 99% and 98% respectively.

Filesharing
Filesharing applications were heavily used in health care organizations, again, despite any potential concerns regarding leaks or loss of patient information.  The most common use of browser-based filesharing were applications typically used for business purposes – namely SkyDrive and DocStoc.  But entertainment/copyrighted content-centric filesharing was also common, where regardless of technology (browser-based vs. peer-to-peer), we found at 58%.

The aforementioned communications and filesharing applications carry regulatory and data leak/data loss risks as well as the typical malware risks.  Pretty serious risks at that.  But that said, many of these applications are in use to help health care users get their jobs done.  One organization I talked to had a specific initiative on Facebook for helping their customers stay in shape.  Other organizations use filesharing applications to move large image files efficiently.  My point is that in many cases, safe enablement is the desired goal, not blocking.

While I think the initial response of many network security folks focuses on negative control – as in, block Facebook, or block Gmail, or even Skype – others are looking at this from a different perspective.  By adopting a traditional positive control model – in other words, default deny.  This way, organizations can expressly enable health care applications like Carefx or Sentillion, or even health care middleware like HL7.  More radically, organizations can enable specific groups (e.g., marketing) to use other applications (e.g, Facebook) for business or acceptable personal use.  While there is always some power and control in being able to block certain applications, it’s often easier, more powerful, and ultimately more secure to be able to allow the applications you want, mitigate the risks associated with those allowed applications, and deny all else.   This stance also has the benefit of focusing on enabling the business, which is always a more strategic position for network security professionals.