Defending doctors' web-based clinical tools from hackers

February 9, 2011 by MassDevice

Dr. John Halamka, chief information officer for Boston's Beth Israel Deaconess Medical Center and dean for technology at Harvard Medical School, details a multi-layered defense for medical web applications.

Dr. John Halamka

By John D. Halamka, MD

The internet can be a swamp of hackers, crackers, and hucksters attacking your systems for fun, profit and fraud. Defending your data and applications against this onslaught is a cold war, requiring constant escalation of new techniques against an ever increasing offense.

Clinicians are mobile people.  They work in ambulatory offices, hospitals, skilled nursing facilities, on the road, and at home.   They have desktops, laptops, tablets, iPhones and iPads.  Ideally their applications should run everywhere on everything.   That's the reason we've embraced the web for all our built and bought applications.   Protecting these web applications from the evils of the internet is a challenge.

Five years ago all of our externally facing web sites were housed within the data center and made available via network address translation (NAT)  through an opening in the firewall.   We performed periodic penetration testing of our sites.  Two years ago, we installed a Web Application Firewall (WAF) and proxy system.    We are now in the process of migrating all of our web applications from NAT/firewall accessibility to WAF/Proxy accessibility.

We have a few hundred externally facing web sites.  From a security view there are only two types, those that provide access to protected health information content and those that do not.   Fortunately more are in the latter than the former. 

One of the major motivations for creating a multi-layered defense was the realization that many vendor products are vulnerable and even when problems are identified, vendors can be slow to correct defects.   We need  "zero day protection" to secure purchased applications against evolving threats.

Technologies to include in a multi-layered defense include: