Implementing robust access controls in healthcare settings can be particularly challenging for several reasons. But Fisher-Titus Medical Center is making progress in strengthening its authentication and other security controls, says Peter Jacob, the community hospital's manager of IT operations and infrastructure.
"We try to use two-form-factor authentication - something you know and something you own - but unfortunately, [in] the medical industry a lot of the software is a little behind, and our vendors control our destiny, so to speak. But we're looking at vendors that support dual-form factor," he says in an interview with Information Security Media Group.
For example, "if a physician is remote and he wants to prescribe meds, we'll either have a Digi-pass token along with a password, or a password with PhoneFactor ... it calls you and you authenticate in with a PIN code...and their other credentials," he explains.
But a big part of the challenge is dealing with push-back from physicians and other clinicians who want to access patient data quickly and easily, he notes.
"Anything they can get away with not having to do, they'll try to do that ... or they'll try to get someone else to do that for them, either a scribe or a nurse who's not approved," he says.
Generally, Fisher-Titus Medical Center's physicians have been "pretty good" in accepting multi-factor authentication for prescribing medications because "the state board of pharmacy requires that. We leverage that," he notes.
"But for the most part, we just have to make sure the technology works, and then they'll buy into it."
Role-Based Access Challenges
"A physician will only have access to [the records of] his patients, and a nurse will only have access to the [data of] patients she's assigned to, and we have mechanisms on the back end that tracks that access," he says. "If we feel there's been a violation, that we will run a ... report and take a look at it."
In the interview, Jacob also discusses:
- Measures Fisher-Titus is taking to better address zero-day attacks and to combat next-generation malware and other threats;
- Challenges involving medical devices, the internet of things, and endpoint security;
- Dealing with ransomware as well as cyberattacks such as email schemes targeting executives, business users and non-patient care related data, such as financial systems.
Jacob, CISSP, is the manager of IT operations and infrastructure at Fisher-Titus Medical Center, which is based in Norwalk, Ohio and includes a 99-bed acute care hospital, 69-bed skilled nursing facility, a 48-unit assisted living facility, and outpatient services. Jacob is an experienced IT infrastructure operations manager with a background in the hospital and healthcare industry.