General 5min de Leitura - 02 de February de 2016

How to justify investments in information security in the health segment?

Estetoscópio sobre notebook

This post is also available in: English Português Español

Public and private companies providing health services, such as hospitals, clinics, laboratories and others, should have special treatment regarding information security. The Manual of the Brazilian Society of Health Informatics, supported by CFM Resolution No. 1,821/07, points out that health institutions that adopt electronic medical records must comply with NGS1 and NGS2 safety levels, as well as recommend adopting the best practices of ISO 27002.

It is evident that patients value confidentiality about exams, surgical procedures, results, or even health status for themselves or some family member. The confidentiality of the data is a legal right, and it is the institution’s responsibility to ensure that the information manipulated and stored is safe, both now and in the future.

From the perspective of the employee, having well-consolidated security policies also provides a guarantee, either of barriers to leakage of information, as well as of traceability in the event of any security incident. In addition, it clearly reinforces the organization’s concern for security.

In recent years the health segment has experienced an increase in occurrences related to virtual security and, after the increasing computerization of institutions, with electronic medical files and other ultra-modern systems, computers and terminals everywhere, often exposed in an unnecessary manner, wireless access for visitors and patients, among others, the risks increase more and more.

Because of this, deploying processes and solutions in information security is increasingly strategic for the business. Many renowned institutions already have exceptional maturity in the subject; however, this is not the reality of the vast majority, who often expose very sensitive information and conditions simply by not following basic safety procedures.

Approving budgets for security projects can be a major obstacle for managers because in many cases it is difficult to visualize the return on investment. Since the budgetary forecast of these institutions is usually short, investments not directly related to the operation have priority. This is precisely the purpose of this post, to make a reflection that facilitates the approval of information security budgets, acting in a preventive rather than reactive manner, because in this segment, the secrecy, the custody and integrity of information are critical success factors.

1. Take care of the patient’s virtual health

In a rather simplified analogy, it is imperative that the organization, in addition to physically caring for the patient, also takes care of its virtual health. In other words, this means that one must take great care of the leak control of information about patients.

With the ease of mobile devices and even internet access on the institution’s computers, leaking sensitive information can bring embarrassment to the patient and entail other problems for the company. Therefore, employee awareness and control of the use of devices is fundamental.

Another very important aspect is to ensure access security in the systems used to manage the patient while they are receiving services from the institution. There are many variables that must be taken care of, but in particular, administering medicines, dosages, among others.

Since all of this information is electronic and automated, someone with evil intentions, accessing a network and system with poor protection can cause extremely serious problems for both patient and organization, which has an obligation to guarantee the integrity of its customers.

2. Make it easy to join wireless network securely

Providing internet access for visitors or patients in a health care institution, as well as in many other companies, is something extremely common, and in some ways necessary today. However, this facility can cost a lot of money if it is not performed properly.

Having isolated networks for visitors and patients is an important factor for a good security policy. In many architectures, this is not a reality, and because of having minimal control, make it difficult for users to enter the networks as much as possible, requiring registration and other resources that make the process useless.

Public wireless networks within these institutions must be adequately isolated from corporate networks, as well as guarantee user’s ease and identification (traceability), ensuring compliance with the Civil Internet Framework, defending the interests of all parties involved.

In addition to users’ satisfaction with the ease of use of these networks, all the necessary security requirements are guaranteed to offer the benefit without giving up information security, which must be very preserved in these organizations.

3. Shorten doctors’ distances

Adding value to the clinical staff is an excellent step to justify investments in any area. Moreover, for information security it is no different, since the clinical body can be very well attended, shortening the physical distance to institutions, especially in larger centers where urban mobility is limited.

Through secure remote access techniques with VPNs, it is possible that, regardless of the device, the physician is connected to the hospital or clinic and can perform their functions through the systems without being physically in place. This greatly streamlines everyone’s work, as well as giving a good scalability to the doctor.

It is worth emphasizing that the provision of remote access to the clinical staff should be planned and structured, focusing on the best security practices, avoiding the creation of new vulnerabilities with the availability of these accesses. Therefore, exposing management systems or the like on the internet is not an interesting strategy.

On the other hand, through the intensive use of VPNs, the doctor can be in any place, with any device (desktop, laptop, tablet or smartphone), as long as it is compatible with the software used in the institution, and can execute reports and other functions properly allowed/authorized.

4. Increase employee control, productivity and focus

In many institutions, the computers or terminals available to employees are limited or just offer access to the software required for their functions, often lacking access to the internet. This is interesting, however, the number of activities that depend on the Internet has been growing a lot, and the restriction on use can be a limiting factor for productivity.

On the other hand, having state-of-the-art equipment for operational purposes is an unnecessary cost for the institution, as well as having totally free access to the Internet can increase the risks of unavailability of the equipment due to inadequate access and virus contamination or loss of performance due to abusive use of the resource by the employee.

Security solutions, especially firewalls and proxies, can ensure the middle ground of these two items by providing access to the internet for work-related subjects or content, ensuring controlled and productive use of the resource.

These 4 points of reflection are very interesting and we hope they can help you find ways to justify investments in safety for your area of ​​expertise. If you have any need to deepen content or even aid in the development of a security project, contact us and speak with an expert. We will be happy to be a part of your success.

This post is also available in: English Português Español