Provider organizations that are serious about making information networks accessible to everyone in the organization will need to get everyone serious about not letting security threats worm their way in. That's because the Web-based innovations responsible for making large-scale data sharing possible for hospitals are also powering advances in malicious tampering that will require extensive and costly preventive measures, according to some leading organizations willing to talk about it.
Those measures could influence how information systems are connected and limit the freedom of computer users to receive and exchange data the way they want. Providers also face increases in the overhead expense of information technology-adding a layer of specialized equipment and surveillance professionals as the first line of defense.
But as most of the world found out last month and most IT pros find on a daily basis, computer viruses and other overt or insidious intrusions can rob business operations of time, productivity and confidence in their information systems.
"The Internet is not a friendly environment," says Jenifer Jarriel, vice president of information technology and chief information officer at Baylor College of Medicine. "People are out there every day probing your system."
The Houston-based medical school, which owns or manages 9,000 personal computers spread out among several teaching facilities, took a hard hit last August when three major computer viruses struck within a two-week stretch.
The culprit viruses, widely known by the names LoveSan, Blaster and SoBig, wreaked similar havoc across the healthcare industry and around the world as e-mails with triggering attachments enticed people to take the bait with subject lines like "Wicked screensaver" and "Thank you!" The SoBig virus alone infected 1.2 million computers in the U.S. and 3.2 million worldwide by the end of October 2003, according to Trend Micro, an antivirus and security software company.
Then along came the MyDoom virus last month to eclipse those previous efforts in the speed of its spread and the sophistication with which it moved and worked once inside a computer system. Baylor medical school was largely successful in preventing infections but had to withstand a crushing challenge. Normally IT pros remove 400 virus-infected attachments a day from e-mail traffic. The number removed on Jan. 27: 28,000.
Thus far the biggest impact on hospitals has been the nuisance of controlling the rapid spread and proliferation of computer traffic, which can bring some servers to a halt and prevent the normal running of critical information systems. But the probing and intrusion pioneered by these newer "worms" could presage much more damaging attacks, says Sean Lewis, information security architect at Sharp HealthCare, San Diego.
For example, the SoBig invention was a prototype and probe for "stealing resources and using your system to send mail," Lewis says. Within five months a rogue programmer had perfected a species that could generate relay stations for "spam"--drafting information networks into the shell game of obscuring the source of unwanted e-mail. More ominously, the MyDoom creation was able to access any information on a breached information network, including personal data, he says.
The day is approaching when data in a healthcare system could be deleted during the rapid spread of such viruses, Lewis says.
"It'll be a wake-up call when a worm is released that really does some damage," he says. "If people don't have proper backup techniques, that data could be gone forever."
Awareness or bust
A key defense tactic is proper vigilance and good security practices by the people who use computers and e-mail on an information network. That means installing antivirus software and knowing how to use it, but computer users have to be educated on the rock-bottom basics, too, Jarriel says. "You can't think that if you see a message that says, `Hello' or `Hi,' you can just open it up," she says.
Others would go further. E-mail with certain types of file attachments often used in virus attacks never reach the recipient at Albany (N.Y.) Medical Center--they're automatically stripped off and a response generated that the message was delivered but the attachment wasn't.
It's just one of many steps taken by a special force within that healthcare system's IT department to prevent intrusions on the network of 3,600 PCs and 115 servers serving a two-campus academic medical center, 12 off-site locations and Albany Medical College. The healthcare system will spend another $250,000 on security-related capital projects in 2004 to supplement its already leading-edge operation, says George Hickman, senior vice president and CIO.
Sharp also has a dedicated security effort within its IT department, with an operating budget of nearly $500,000 and plans to increase spending during the next few years, says William Spooner, Sharp's senior vice president and CIO. Actions to prevent security breaches include a strong acceptable-use policy for computers, a ban on plugging anything into the system without involving IT professionals and central control over who can go on the network and when, Lewis says.
That's a challenge for a healthcare system of 63 facilities in San Diego County with 14,000 employees, 8,000 desktop computers and 10,000 other devices including thousands of biomedical instruments and 350 servers.
The shift toward control of devices, software and policies represents "a big culture change in the healthcare industry," Lewis says, where a bent toward independence and unfettered pursuit of information is facilitated further by Web-era advances.
The downside of Web-enabled access
Connecting and collecting data from dozens of separate computer systems was a tricky and clunky maneuver until Web technology matured as a potential solution in the late 1990s (Aug. 11, 1997, p. 55). By the same method that public Web sites gather and present information to many far-flung and varied computer networks, healthcare systems are building private exchanges within hospitals and outside to clinics, medical schools and physician homes.
Along with technical advances, a renewed sense of the importance of complete and accessible information has followed closely behind escalating priorities such as reducing medical errors and improving adherence to the best practices of care for conditions such as heart problems, pneumonia and strokes.
Most computer networks are built with barriers preventing access by unauthorized people, and they add the protection of passwords and encryption. But as the folks in ancient Troy learned too late, barriers don't always work. One sophisticated type of virus attack is even called a Trojan Horse. It illustrates a favorite tactic in virus programmers' schemes: Get unsuspecting insiders to invite them in.
When Internet technology and scores of computer servers connect thousands of computers and just as many biomedical devices, the opportunity for viruses to find a way in and spread is significant, Hickman says. The challenge is to develop as much centralized management as possible, both technically and through policies on acceptable uses of the computer system, he says.
But that flies in the face of some of the chief benefits of weaving systems around Web technology: connecting existing disparate and nonstandard computer systems while enabling access from remote sites over the Internet. The approach makes the most of what's already in place, forestalling new investment in IT and making it easier to add and merge otherwise incompatible systems from new providers.
That's likely one of the biggest selling points vendors will make on the exhibition floor of this week's Healthcare Information and Management Systems Society annual conference in Orlando, Fla. It's one of the biggest sore points, however, in controlling security. A collection of varied hardware, software and links to and from a shared information network complicates the task of monitoring every vulnerable point and quickly installing antivirus "patches" and other countermeasures for a known threat, Lewis says. "The more systems that you can control on the network, the better you will be."
The challenge will be to make two important initiatives complementary, he says--integrating information from the many applications in use at a healthcare system while also ensuring that the infrastructure connecting the applications is reliable. An essential element of that challenge is building security measures into the design and operation.
Once hospitals succeed in computerizing most critical clinical data, they'll have to take a hard look at what could keep them from accessing the information at all times, Hickman says. "The ability to tolerate outages is substantially diminished," he says. Given the high stakes and the rising tide of computer viruses, "what does this kind of security threat do to that?"
Lessons learned in battle
The 129 largely autonomous departments making up the Baylor medical school, many with their own IT people and policies, may have to get ready for more central direction and standardized computerization, Jarriel says. That likely will include picking one of the most current versions of operating systems available instead of the several now in use; requiring all computers to be loaded with a single version of antivirus software managed by the IT department instead of whatever came with a computer; and investing in new computers that can be monitored from one IT command post.
Within the IT department, a swifter and surer method of installing vendor-supplied fixes for looming virus threats is being put together, she says.
Last August, about one-third of the computers managed by the medical school were infected by the three-virus wave, and it took 2? days of solid work by all available IT professionals to traipse out to the more than 2,000 affected computers and repair the damage, Jarriel says.
Infected or not, computers on the system were slowed by a proliferation of message traffic, and help desks were overwhelmed by calls. At the peak, more than a million messages went in or out of the Baylor medical school network in one day, compared with 300,000 in a typical day. The usual 100 to 120 calls per day to a help desk spiked to 750 on Aug. 12 and remained at "multiple hundreds for about a week," Jarriel says.
The cost added up to more than $100,000 just for the personnel thrown at the problem--which didn't begin to reflect the lost time for at least 2,000 people who couldn't do their jobs or the loss of computer access to teaching affiliates, she says. Calculating the down time and lost productivity, Baylor officials estimated the outage resulted in a $2.4 million financial loss.
The medical school has faculty at five Houston facilities: Ben Taub General Hospital, Methodist Hospital, St. Luke's Episcopal Hospital, Texas Children's Hospital and Veterans Affairs Medical Center.
The medical school pays $52,000 per year for a Norton antivirus software license but was not getting everyone to use it. A new policy expected to be approved within the first quarter of 2004 will require all computers to run the antivirus package monitored and operated by the central IT department, says Larry Mayran, manager of IT services.
By requiring one corporate choice at all sites, IT personnel will benefit from more consistency and an increased tracking ability, plus a more accurate and quicker count of problems encountered, he says.
But best practices in computer management also involve at least some level of standardization, including a replacement schedule that can keep up with rapidly improving software tools that allow IT professionals to diagnose and fix problems in computers throughout a network from a central control point. About 45% of Baylor's computers are too old to use the state-of-the-art tools for pushing updates and remedial "patches" out to computers, Jarriel says.
The days of buying computers and keeping them for the better part of a decade are over, Mayran says. The long-term remedy for virus protection includes getting into a purchasing cycle in which a third of desktop computers are replaced annually, he says.
Armor, but also special ops
For a large, multifacility healthcare system, assembling the apparatus of security is important but not sufficient, says Sharp CIO Spooner. The seven-hospital system has two dedicated security specialists, including Lewis, plus other IT pros who devote part of their time applying security-related patches, evaluating proper security design and "creating the necessary security architecture" for the healthcare system, he says.
Lewis says hospital systems have to invest in more than specialized monitoring tools in today's security climate. "They may have the technology, but there's nobody behind the wheel," he says, asserting that specialized expertise is just as important to make the tools work.
Managing the constant stream of patches coming from Microsoft Corp. and other vendors is a job in itself, he says. Some may be so urgent that they require immediate attention; others could cause more problems than they resolve through unintended consequences on other computer applications--much like the interaction of medications.
Including testing and assurance that it won't cause additional problems, a patch normally takes five to seven days to implement, says Dennis DeLisle, Albany's vice president of information technology. The IT specialists also have to coordinate the updates with the schedules of the people who use the computers throughout the network.
That's where central control pays off, DeLisle says. The system allows "hands-free management" of virus-protection measures, automatically installing an update in one business day, he says. Servers get first priority and usually are patched in the first hour.
As the recent MyDoom worm demonstrated, IT departments are getting less and less time to react to threats. Viruses typically are written to take advantage of vulnerabilities in computer security that become known, and companies such as Microsoft aim to get corrective patches out before that can happen. But the time between release of the patch and onset of a threat is narrowing by the month.
Lewis says a virus launched a few years ago, named Code Red, didn't appear until six months after the security patch was issued. Last summer's Blaster and SoBig viruses were out within three weeks. The MyDoom worm broke new ground: It did not exploit any flaws in the Microsoft operating system and thus was more of a surprise when it hit.
The new sophistication makes speed of response essential, Lewis says. "Take the assumption you have 24 hours," he says.
Ultimately executives should be as concerned about making investments in adequate protection of electronic data as they would be in ensuring adequate performance of their information systems, he says. "Their data and basically large chunks of their business are dependent on the IT department."