[ISN] Healthcare CIO gets tough on net policy violators

InfoSec News isn at c4i.org
Thu Sep 30 06:25:35 EDT 2004


By Bob Brown
SEPTEMBER 29, 2004 

CareGroup Healthcare System is serious about its security and privacy
policies, and those employees and business partners not adhering to
them pay a huge price, according to the Boston healthcare
organization's CIO.

Dr. John Halamka kicked off the HealthSec 2004 Conference & Expo in
Boston this week with a keynote address titled: "You're Fired!  
Security Breaches, Pink Slips and Public 'Executions.' " Halamka has
made a name for himself in IT circles partly because of his decision
to go public following a network outage at one CareGroup hospital back
in November 2002 in an effort to help others avoid similar fates.

Halamka shared examples, with names changed to protect the guilty, of
CareGroup employees or associates who have been canned for violating
security or privacy policies, which they had to agree to upon joining
CareGroup or starting to do business with it. One doctor was found to
be getting abusive in online chat sessions, a violation confirmed by
packet sniff tracing. Another doctor, who wound up leaving before
having the chance to get fired, violated policy by peeking into a
spouse's psychiatric drug records.

"It's important to have sanctions to have a policy that has teeth,"  
said Halamka, who emphasized that CareGroup's termination policies
apply equally to everyone from clerks up to head surgeons.

One way that CareGroup stresses its policy compliance message is by
making public, within the organization, when and why someone is axed
for violating policy. If a policy is broken by a business partner
employee, that organization needs to discipline its employee or
CareGroup will cut off access privileges for the entire organization,
said Halamka, who is an emergency doctor in addition to being an IT

But in order to fire anyone based on security or privacy policy
violations, he said those policies need to be carefully crafted and
supported throughout the organization, such as by the human resources

The need for airtight security and privacy at health-care
organizations, especially one the size of CareGroup, is obvious.  
CareGroup boasts 12,000 employees who serve some 9 million patients.  
The privately held organization moves some 70TB of data a day over a
network infrastructure that includes 15,000 Cisco Systems Inc.  
equipment ports and 200 servers, mostly Unix. The organization also
provides secure Web access to patients, employees and business

One huge security and privacy challenge for Halamka is that there are
a lot of good medical reasons for doctors and others in a health-care
organization to have access to a wide collection of patient and other
data. "Every doctor has access to every patient's data," he said. The
organization runs audits to keep inappropriate access in check, plus
makes employees and patients privy to an audit trail regarding their
data in case they have concerns about who is accessing it.

To ensure that employees know what they are getting into when they
sign a letter confirming that they will comply with the policies, they
go through training. Halamka conducts training for medical students
and researchers. CareGroup system users are also reminded about
training when security keys are renewed at every 50th logon attempt.

CareGroup's network security system includes use of username/password,
Web surfing control, antivirus software, intrusion detection system
products and VPNs. The VPNs are largely for business partners since
the technology is a pain to deal with, Halamka said, especially when
employees start asking questions about using the VPN from home PCs
loaded up with all sorts of programs.

CareGroup is strict about which systems are allowed access to its
network and won't approve devices until they have the appropriate
antivirus and Microsoft patch distribution software installed, Halamka

One thing that CareGroup keeps a watchful eye out for is rogue WLANs,
though the organization is in the midst of making wireless available
to all corners of its facilities. The 802.11 net will support not only
data transfer, but voice and RFID-based location-tracking
applications, Halamka said. CareGroup will look at 802.1x to secure
its integrated wired and wireless nets, he said.

One ongoing frustration for Halamka is that despite the best efforts
of his team to secure CareGroup's network, some vendors still don't
understand what customers really need. He recounted having lunch
several weeks ago with Microsoft Corp. CEO Steve Ballmer. He told
Ballmer that Microsoft should refocus on making its software less
feature rich and more secure and reliable. But Ballmer insisted that
"customers want these features," according to Halamka.

"The folks creating the systems don't get it," Halamka said.

More information about the ISN mailing list