Two become one – IT security best practice in healthcare consolidations

There is an ongoing surge of consolidations in the healthcare industry; particularly among hospitals and healthcare clinics.

An increasing number of physician practices are also being absorbed by larger hospital and clinic organizations. While there are certain benefits to this activity, there are also risks; none of which are more serious than maintaining the security of sensitive patient data.

When any organization grows through acquisition, the decision is often made to focus on locking down the perimeter of the newly-combined IT network. This leaves relatively few barriers for communication between the merging organizations for ease of workflow, access to data and to make system consolidation easier. While this might seem to be a logical approach to ease the merger process, it can often lead to a false sense of security and overconfidence in terms of mitigating network compromises or determining if a threat already resides within the newly-joined systems.

This approach can easily be compared to the traditional “castle security model” with a moat surrounding thick high walls with virtually no security residing within. This model can do an excellent job of repelling external attacks but is ineffective at protecting against threats within – the best example being the proverbial Trojan Horse. The modern example of this is the numerous phishing attacks that can typically be attributed to at least one user making a poor decision from a security perspective that allows an attacker to gain unauthorized network access.

Typical Scenario
By way of example, consider the purchase of a small hospital group by a larger entity. It is quite likely that the groups will have several disparate, overlapping systems such as EMR/EHR systems, diagnostic imaging and pharmacy, as well as physical/logical facility access systems, networks and applications. The fact is, the healthcare software and hardware market is highly-competitive and there are multiple options for each function.

This competitive environment is ideal for containing costs and driving innovation but has the potential to create a security nightmare. Add to this the huge increase in the number of connected devices in recent years, and the job of securing any single hospital is daunting, to say the least. Now, multiply that complexity to address the merger two organizations with multiple facilities, many of which were acquired themselves, and the securing the new enterprise becomes almost impossible.

These security challenge scenarios include:
• Integrating two networks to provide access to the systems of both groups, while protecting the respective sensitive data from both external and internal attacks
• Facilitating authentication and access to systems and applications for users from both entities without compromising patient care
• Understanding where all sensitive data resides and the level of protection that is required and implemented
• Protecting sensitive data while allowing access to applications and individuals
• Network access is often the first order of business when organizations begin to consider how to consolidate systems and data stores while providing access to the systems and applications necessary to operate the hospital without impacting patient care. Many organizations run effectively flat networks since it is far easier to manage, and many believe that logical access controls are adequate to protect access to data without network segmentation. In addition, most hospital networks have grown over time with different parties providing architecture guidance. This usually results in poorly designed networks with far too many ingress and egress points and little to no segmentation and isolation of sensitive data. When combined, the result is a combined network with very little security besides the known perimeter.

Access control
Authentication and access to systems continue to be an issue for healthcare as there are two polar opposite needs that must be considered: quick, easy access to clinical and patient data for doctors, nurses and other care givers; and the need to guard against unauthorized disclosure. Most in healthcare would like a world where time need not be spent logging onto and off of systems. This process takes time and time is their most precious commodity.

Add to this that these professionals prefer to use personal mobile devices to access information, especially when they work in multiple facilities, and they instantly become pitted against the security teams. Exacerbating this conflict are HIPAA rules that dictate strong authentication such as two- or three-factor, before allowing access to PHI.

Understanding where data is, and implementing and enforcing corresponding classification systems is difficult enough without facing multiple locations where it is generated and resides. Unfortunately, it is critical to understand what electronic information exists and where it resides before deciding how it can best be secured. While this problem is not unique to healthcare, it is more of a concern in this industry due to the considerable number of systems and applications that generate, collect and store PHI. The sooner this can be handled, the sooner it can better properly protected.

Keeping it Encrypted
HIPAA is clear on protecting PHI. The security rule essentially requires that all PHI be encrypted both in-transit and at-rest. Yes, it is listed as an “addressable” control, but this doesn’t mean “optional,” a fact that seems lost on many healthcare organizations. According to the FAQs published by HHS and the OCR, not encrypting PHI isn’t really an option and an organization would be extremely hard pressed to justify not encrypting PHI as “reasonable and appropriate.”

If the decision is made to encrypt, it’s important to understand that not all options are equal. Many security teams rely on whole disk encryption across their environment. While an appropriate solution for mobile devices, this is not suitable for servers and other systems that store PHI and constantly operating. Whole disk encryption on an “always-on” server does not actually provide data protection since the disk must be unlocked when the system fire up; resulting in unfettered access to unencrypted data. Logical- or role-based encryption is a far superior solution as it encrypts data with an access control that only allows authorized to access unencrypted PHI.

Consolidation in Action
So, what can be done to better prepare for and execute a consolidation that doesn’t make security an afterthought?

First, networks should not be combined with no restrictions. Take the time to understand what systems and applications need access across the boundary and then build access control lists that only allow the required traffic in both directions. In addition, and before enabling the ACLs, conduct a network level scan against the systems (both servers and endpoints) to identify any vulnerabilities and potentially compromised systems. It is important to then make sure they are updated to remove the vulnerabilities and mitigate the compromises.

Before allowing any additional connectivity, this process will buy time to thoroughly evaluate the new network’s architecture and security controls, as well as its overall state to see if there any exploitations on the system to be paired with. Limiting network connectivity between the two networks will make it more difficult for an attacker to move laterally should they gain access via the newly connected network.

Next, understand the nature and location of any sensitive data being made available to the other side and ensure that strong authentication is enabled for all access to PHI on both sides. Evaluate the authentication methods present on each network and don’t be afraid to use a system on the other side if it does a better job. Enabling strong multi-factor authentication also decreases the risk of compromised credentials being used to compromise PHI.

Finally, review current encryption enabled on both sides for data being connected and ensure strong, logical solutions are in place to keep data safe. Encrypting PHI in this manner is a last line of defense to protect against loss of PHI. Note, that OCR offers safe harbor for reporting a breach of properly encrypted data.

Combining these methods will significantly reduce the risk of the consolidation and will provide time to conduct a complete evaluation and finalize the consolidation in a time frame that reduces the operational impact on both organizations and, perhaps most importantly, results in much better security outcomes.

Kurt Hagerman is chief information security officer at Armor, the First Totally Secure Cloud Company™ that keeps sensitive, regulated data safe and compliant in the cloud. For more information, visit

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Top 40 Articles from the Past 6 Months