Keeping Medical Data Safe and Sound

With health information going digital, patient safety is no longer the sole provenance of the care team. How Barnabas Health’s Hussein Syed created an IT security plan to ensure data is secure no matter where it resides.

They called it Code Red. In the summer of 2001, computer hackers launched a worm virus that infected more than 359,000 computers in mere hours by targeting computers running unpatched versions of Microsoft’s IIS web server. According to the Center for Applied Internet Data Analysis, the “worm spread by probing random IP addresses and infecting all hosts vulnerable to the IIS exploit.” Although Code Red was an attempted distributed denial-of-service (DoS) attack against targets like Whitehouse.gov, it failed to initiate much damage.

Code Red was a wake-up call to the global community, and information technology professionals took notice. Hussein Syed, who now serves as the director of IT security for Barnabas Health, was one of those people. In the aftermath of Code Red, he became the health system’s engineer tasked with building network solutions around security. “When attacks became more targeted, we in security started making more strategic decisions and changed how business is conducted,” he says. Suddenly, Syed found himself at the center of a storm. He was a one-man security department in charge of protecting critical data for New Jersey’s largest health system.

“Everything we do and all the security measures we implement are about limiting risk to protect patient data.”

Things happened quickly. Syed started creating data-transfer requirements for business partners and putting processes in place to comply with HIPAA requirements. Then he began encrypting thumb drives, blocking select websites, and educating employees on data-security practices, all while  working to build policies and solutions over many years. Today, Syed leads a six-member department dedicated to information security at Barnabas.

With all the technology hospitals are now implementing, hospitals face a difficult challenge. Information must be both accessible and secure. Syed says his strategic plan for security starts with interactions between the CIO and other executives. “Our CIO is on an operating committee that makes all the decisions around the strategic direction of Barnabas Health,” he explains. “He discusses security measures with senior management to apprise them of risks, issues, and solutions while analyzing what we need to do to align with their strategic goals.”

Like all health systems, Barnabas Health is rapidly moving toward electronic health record (EHR) implementation and health-information exchanges. These big-ticket items require the transfer and exchange of unprecedented amounts of digital information internally and externally. Syed’s team has to protect this data as it is exchanged in real time, all the while ensuring they meet regulatory requirements, minimize risks, and prevent attacks.

In 2008, some internal incidents around the misuse of equipment led Syed to change course. He created a new encryption policy to protect company data by equipping all assets, especially laptops, with a new data-encryption program. Now, every laptop Barnabas Health owns is encrypted regardless of the information stored within. The policy will soon extend to desktops, and Syed’s team has blocked USB ports with a Symantec solution. To access the drives, users must employ a predefined USB drive. As things move forward, Barnabas Health’s security department will issue encryptable thumb drives and limit the number of people authorized to copy removable media. Furthermore, the company prohibits third-party webmail, online storage, and mobile chat. “Everything we do and all the security measures we implement are about limiting risk to protect patient data,” says Syed.

The team is also working on a degree of permeability program to monitor all data movement and is building on Barnabas’s risk-assessment process to further scrutinize all initiatives before their launch date. This helps protect data by introducing a standardized approach that governs data access, backup, and discard.

Until last year, most cyber attacks targeted financial institutions. But in 2013, hackers launched a DoS attack against a health-care system in England because of their position on patient care. In April of 2014, Boston Children’s Hospital confirmed that its security teams had been fighting weeklong cyber attacks that took down various online services. According to the Boston Globe, Anonymous may have launched the attack in response to an ongoing child custody case involving alleged abuse. At Barnabas, Syed has implemented a DoS protection system at the perimeter level, with monitoring two steps away from the system’s network. If an attack occurs, alerts will trigger and allow security workers to shift Internet traffic and respond accordingly so critical systems remain online.

While DoS attacks are rare, medical information is valuable. A health-information file contains eighteen records and holds diagnoses, social security numbers, birth dates, insurance data, and other information. Health care today is one of the most complex data–exchange venues, and it’s a venue full of information that hackers could exploit for malicious and fraudulent purposes. By digitizing and sharing medical records, health care in America stands to get cheaper, faster, and better, and it’s going to take IT professionals like Syed to keep data safe during the process.