Posted by: Greg Ness | September 18, 2007

Inmates, Asylums and Heart Monitors

Necessity is the mother of invention. 

Everyone is well aware off the sorry state of affairs for server security along with the related compromise of the perimeter of the network.  Gartner recently predicted that 75% of enterprises will be infected by bots by the end of THIS year.  Yet no one is shocked.  My how the world of network security has changed as we get increasingly interconnected and hackers get increasingly sophisticated. 

I suspect that at least half of the few thousand who read this column will have received at least one “you’ve been breached” notice.  Whether the data was on a laptop, stolen via a hack attack or sold by a frustrated employee the effect is the same.  Your identity is exposed.  It is a sad reality that we accept these exposures as a part of our increasingly interconnected and commercial lives.   

Like the boiling frog syndrome, as long as the water warms at a slow pace, we can be a very flexible lot and tolerate once intolerable realities (like invasion of privacy now going commercial). With every breach announcement, every letter we become accustomed to being violated.  Our household was hit with three “you’ve been had” letters over the last 12 months.  Yet things are bound to get worse before they get better. 

Hackers have started to focus more on sophisticated server and database attacks capable of circumventing signature-based network defenses by leveraging a network’s permeable application and protocol layers.  These layers contain patchworks of (attack) vectors often hidden from the view of traditional network security systems operating at low layers (like packet inspection and pattern matching).  They are the network’s equivalent of dark, secret alleyways and hidden passages around walls and checkpoints, covertly navigable by anyone with specialized knowledge and access. 

While this development and the emergence of tools for evading established security solutions is problematic for enterprise security, I still expect many teams to adjust to the discomfort by making additional operational tradeoffs and taking additional data exposure risks until executives mandate change.  How many frogs will be boiled before a new vision takes hold?  Who knows, but let me suggest where it is the most likely that we’ll see the first signs of innovation in server and data security. 

One industry stands out in sharp contrast when it comes to risks, operational demands and consequences and regulatory pressures: health care.  Health care security pros are on the front line of the war for control of servers and data. 

When I think about IT security pros in health care I tend to think that they’re not that different from combat medics operating with whatever is available within the confines of an ever-changing mix of critical demands.  This month’s blog was inspired by several conversations over the last year with network security and operations types in health care. 

The Inmates Run the Asylum 

When it comes to convenience and access, doctors typically carry disproportionate influence in hospital IT decision-making.  While this is acknowledged universally as a necessary condition, it also means that key decisions will tip toward convenience and universal access versus security.  Doctors want unfettered 24X7 access to patient data, monitoring equipment and other critical systems, including medicine delivery.    

Yes, in health care IT, the inmates run the asylum.  The access and convenience appropriately demanded by health care providers unintentionally creates a dynamic where security and operations teams are often on the defensive, reacting to events enabled by access conditions that might otherwise not be allowed in other industries. 

Yet the kinds of minor hiccups in data centers that may create operational pain or even undesirable balance sheet impacts pose even greater risk within a health care network.  Devices like heart monitors, computerized medicine distribution systems and diagnostic equipment are increasingly accessible from the network, because doctors have understandably demanded this level of real time visibility into patient status, etc.  Many of these devices were developed and operate on older legacy operating systems; vulnerability patches designed to protect software from attacks are therefore almost impossible to apply and risk voiding manufacturer warranties and/or crashing the very machine depended on for life support. 

You now have an accidental confluence of well-intentioned factors that create the technical equivalent of a MASH tent in a combat zone.  Random bots, worms and other malicious events evade the network security appliances and plant themselves in devices responsible for managing and maintaining patient health.  Hackers gain operating control of critical health systems.  As one network security pro advised months ago in a phone interview, “Lives are at stake.” 

It’s one thing to be breached and risk identity theft, quite another to have your life on the line.  That is why I think it’s likely that health care will ultimately be the source of server security innovation.  They are on the front line of a much higher stakes battle for control of servers and data.  And the implications are in many ways more permanent. 

More Regulations 

Over the last ten years the regulatory environment has become even stricter, for the well-meaning purpose of encouraging health care organizations to become more diligent about protecting patient data.  Increasing regulation may encourage hospitals to seek improved security via compliance, but sometimes regulations backfire by discouraging innovation and sometimes even placing security-minded staff into compliance versus best security practice dilemmas. 

As a result, health care security requirements also include navigating an ever-increasing maze of bureaucratic procedures and paperwork that introduce career risks and other ancillary considerations, in an environment where time can be of the essence.  It isn’t that far flung to see a future where IT pros also have malpractice insurance. 

The good news is that IT pros in health care are some of the best across all industries.  Hospitals have recognized the importance of information technology to patient care and have invested in state-of-the-art people.  Now if only the health care industry can learn to empower them on a par with physicians so that the health risks of inconvenience are balanced with the health risks of vulnerable, unpatched systems. 

Regardless, I think it is very likely that health care will be the industry that comes up with the best solutions to the security degradation of today’s data center.  In many ways, it’s a matter of life and death.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: