Between mobility's rock and security's hard place

Becky: Welcome to the IBM Healthcare Security Podcast Program.  Today we will continue our discussion on the latest healthcare security trends and topics with a focus on mobility.  The mobility movement has tremendous momentum in health care and a security strategy is a must.  We are pleased to have with us again today Eric Brown, Vice President of Healthcare and Research at Forrester Research Inc. who will be leading the discussion. Welcome Eric.

Eric: Thanks again Becky.  Wireless networks and enterprise mobility are really transforming businesses as diverse as transportation, agriculture and hospitality.  This mobility craze is in full swing in healthcare fueled by the drive to put the best patient information in the doctors hands at the moment of care and improve collaboration and workflow in the hospital.  Clinical information systems have shot to the top of the strategic IT list - and because patient care is delivered where the patient is and not at a desktop -- this trend has brought along with it’s a big investment in mobility in hospitals.

Will the doctors use this though?  Doctors often portrayed as being anti-technology are really not Luddites -- they will use what works for them and will resist what doesn’t.  They were early users of some of the first mobile technology, pagers and cell phones, but unlike those in other industries like law, sales or shipping, clinicians need rich applications that combine text, graphics and speech in to a "go away" package.  Hospitals are investing in the applications and infrastructure to provide these mobile services.

Lists are fun so here is a list of the top seven ways that hospitals use mobility and wireless technology.  

• Clinical reference material.  The first widespread application of mobile devices among physicians has been for reference material.  Databases of detailed drug doses, side effects and interactions updated on a regular basis and cross referenced with other medical publications and reference sources have become standard tools particularly among each fresh crop of interns.  Information sources like UpToDate, Clin-eguide, eProcrates and SkyScape and many others have hundreds of thousands of clinician users carrying bookshelves worth of content in their pockets -- on PDAs and smart phones.  New content is updated wirelessly. To attract and retain the physicians, hospitals themselves have made these services part of the hospital infrastructure particularly at large academic medical centers that buy access to content "in bulk" and offer it to affiliated admitting physicians.
• Dictation.  As smart phones replace the micro cassette recorder, physician notes can be automatically tagged with the patient’s medical record number, date and other information, routed to transcription services (which could be around the corner or around the globe) and fed back to the physician for approval.  More than 20% of physicians use some sort of recognition-enhanced dictation tools and this capability has been integrated into all of the leading EMR products.  The use of speech recognition technology either in real time during dictation or later to reduce transcription costs make global voice computer combination even more potent for clinicians.
• Electronic medical records, e-prescribing and clinical orders.  The clip board and file folder - long the standard for medical records -- are pretty portable compared to a desktop PC.  As hospitals move patient information online, these online systems have to move with the clinician and be available right where care is delivered.  Healthcare IT shops space a few choices in deciding how to deliver these much more rich and complex applications.  Putting stationary computers in every room -- and several and some rooms -- is a low tech brut-force strategy.  Another is to deploy Computers on Wheels affectionately known as “COWS” with wireless capabilities and roll them around where they are needed.  A third is to provide each physician with a portable tablet PC and wireless access.
  Hardware firms have even created healthcare specific solutions including a tablet PC from Motion Computing that can be wiped down to sterilize it and has a handy carrying handle.  These mobile clinical systems all need highly reliable, easy to access, mobile connectivity as these devices move in and out of the facility.  Doctors will want and demand to use their own devices on your network.  My son loves his new iPod.  This represents a generation of consumers for whom anytime, anywhere access to the Internet is just the way the world works.
• Smart mobile communications.  A shortage of nurses in the US has lead to innovative applications of technologies to cut waste out of a nurse’s busy schedule. Walking to the phone at the nurses’ station to call about a medication or being pulled away from a patient to respond to a page can consume nearly an hour of a nurse’s time during a day.  By deploying a Wi-Fi infrastructure and equipping nurses and staff with wireless voice over IP phones, hospitals have provided the connectivity tools that these mobile healthcare workers need.
  A case study performed at Saint Agnes Healthcare in Baltimore Maryland showed 3400 hours saved as a result of nurses' use of these technologies.  The hospitals deployed a Vocera wireless communication system that allowed nurses to respond to pages and contact physicians without having to go back to the nurses’ station.  It even features an antimicrobial agent that prohibits growth of a broad spectrum of bacteria, mold and fungi.
  Forrester’s data indicates that 13% of enterprises and 6% of small and medium businesses are rolling out Wi-Fi enabled voice devices and an additional 36% of enterprises are evaluating or piloting voice over wireless LAN technology -- with healthcare providers leading the pack.  Mobile carriers are offering dual mode phones that use a Wi-Fi signal when available and traditional cellular network connectivity when outside of Wi-Fi range.  These technologies will become prevalent in a hospital environment.
• Asset tracking, clinician tracking, patient identification and drug dose tagging.  Small wireless tags that provide location information are of particular value in the hospital environment.  Infusion pumps, wheelchairs, gurneys and other equipment are poorly tracked and often end up sitting idle in one wing of the hospital while another department suffers from shortage.  In a rush to maintain care, administrators do the expeditious thing. They buy more rather than scouring the hospital looking for strays.  By using RF ID tags and deploying an array of sensors around the hospital, important assets can be tracked and made available where and when they are needed saving the hospitals millions of dollars.
  With this inventory in place, future applications would include tracking staff and patients to locate them more quickly in an emergency.  RF ID tags are also becoming part of the safe and secure pharmaceutical supply chain.  These sophisticated tags and the more basic bar-coding as well are making mobility part of the patient safety effort by making sure that these drugs are scanned and delivered to the appropriate patient.
• Mobile patient monitoring.  Wireless communication has already been used to unclutter the mess of medical monitoring equipment in the operating room.  Patients can be moved in and out without having to disconnect them or wheel a huge array of other gear alongside.  What if these were extended to patients after they are discharged?  Given patient’s mobility while still tracking their recovery benefits the hospital, benefits the health plan and benefits patient. 
  
  Recent startup Proteus Biomedical is in the process of conducting clinical trials on its Raisin System which includes an ingestible event marker that starts broadcasting a signal once it comes in contact with digestive fluids.  The signal can be detected either by a skin patch or subcutaneous reader to confirm that patients are taking their prescribed medications on schedule.  At a price point of less than one cent per marker there is an opportunity for expansion into other cardiovascular, neurological and infectious disease categories.  CardioNets outpatient cardiac telemetry solution completed a 2007 clinical trial that showed that its technology is three times more effective than the incumbent LOOP event monitors at diagnosing clinically significant arrhythmias.
• Wireless access for patients as a hospitality service.  Most hospitals today offer their patients and visitors access to the Wi-Fi networks and promote it on their website so “you may keep in touch with work, family, friends, and current events using your personal laptop computer”.  This very conservative and cautious posture of five years ago of no cell phones, no wireless (makes you feel like its air travel) doesn’t it? has given away to a more customer-friendly policy of bringing mobility to the patient.

Well all of this investment in wireless brings challenges as well.  The wireless security threat today is what the Internet threat was five years ago.  Security parameters are less attractive to attackers.  With the wholesale adoption of enterprise-class firewalls and more reliable intrusion prevention systems, Internet-based attacks have become more difficult and therefore less attractive.  These more formidable Internet gateways have forced intruders -- casual or malicious -- to look for other ways to penetrate networks.  This shift in attack focus is quickly making wireless the new network security battleground.  In addition to the massive TJX theft many other high profile data breaches via insecure wireless have been reported.  Newsworthy thefts have been performed against the wireless networks of notable companies and organizations such as Lowe’s, IRS, Dollar Tree and BJ’s Wholesale Club. 

Wireless is an enterprise reality that will only become more widespread over time.  Forthcoming 802.11n technology will tempt corporations into trying to eliminate wire networking reliance  completely and go fully to wireless.  Continued use of insecure wireless security protocols, such as wireless equivalent privacy (WEP), and the lack of wireless intrusion detection technologies make wireless networks increasingly attractive to wireless hackers.  We call them whackers.

Securing your wireless network.  First let me give a tip of my hat to my Forrester colleague John Kindervag for some insight and advice on how security professionals should prepare for this shift to ubiquitous mobility.   In short, you have to treat wireless networks as “untrusted,” as the safety of restricting access to physical network no longer applies and you should adopt these five steps (yes another list) to wireless security.

• Install an Internet firewall to protect the core from wireless LAN (WLAN) users.  Implement a firewall that separates the wireless network from your internal local area network and limit access to sensitive resources from the wireless LAN.  You should aggregate and route all access points through a single firewall and use rules to restrict access to clinical systems.
• Deploy wireless intrusion detection systems.  Wireless intrusion detection systems or WIDS proactively prevent wireless attacks and discover rogue access points.  A dedicated WID solution will scan the air for malicious traffic and rogue devices automatically mitigating your risk substantially.  Without WIDS technology, security personnel are blind to the traffic moving through the air.  WIDS provides visibility and alerting capability vital to enhancing wireless security.
• Provide secure and segmented wireless guest access.  One ancillary benefit of implementing robust wireless security is that it will force a rethinking of guest user access.  By segmenting patients and guests onto their own wireless access points, you reduce a common threat. 
• Accept nothing less than strong wireless encryption.  TJX is the poster child for poor wireless encryption.  A WEP or WPA-PSK wireless network is easily breached,and so strong wireless encryption must be used.
• Place network intrusion prevention systems behind the wireless firewall.  It’s important to fully inspect traffic traversing the wireless LAN.  While authentication and encryption protect the wireless signal, they don’t prevent malicious traffic from using the wireless network.  By running all wireless packets through a network intrusion prevention system, bad traffic can be dropped off the wire before it reaches the internal LAN.

Having a mobility strategy rather -- than taking mobility on the case-by-case or app-by-app basis -- is a must for hospitals because of the number of applications and the critical nature of mobile access and compliance mandates.  Having a well-thought-out security plan is a must-have component of that plan.  With that in place you are in good position to ward off unwanted attacks or usage from outside your network.

What about the threat within?  Next time, in our fifth and last segment in this podcast series on hospital security, we will look at the ways IT security professionals can respond to the risk associated with internal staff behaving “badly” -- identity management and authentication, encrypting data storage, managing user access, and training people on hospital policy.  Please join us. 

Becky:  Thank you Eric for an engaging discussion on mobility within healthcare and the current landscape -- considerations and challenges – and the importance of securing the wireless network and developing a mobility strategy.  And thank you to our listeners for joining us today.  We hope this discussion gave you much to think about and some immediate actions that can be explored. 

Please visit ibm.com/expressadvantage/hcsecurity for more information and look for upcoming final segment in the podcast program.  Have a great day.