What keeps a hospital CIO up at night

Earlier this year, my team presented a list of risks to the Compliance, Audit and Risk Committee at BIDMC. Here’s my list of top risks for 2012:

1. Old Internet browsers. Many vended clinical applications require specific versions of older browsers such as Internet Explorer 6, which are known to have security flaws. We’ve worked diligently to eliminate, upgrade or replace applications with browser specificity. At this point we are 96% Internet Explorer 8/Firefox 7/Safari 5 minimizing our risks to the extent possible.

2. Local Administrative rights. Of our 18,000 devices on the network, a few thousand are devices that require the user to have local administrative rights to run their niche applications (often the research community doing cutting edge research with open source or self developed software). We have done everything possible to eliminate Local Administrative rights on our managed devices.

3. Outbound transmissions. Security has historically focused on blocking evil actors from the internet. Given the current challenges of malware and infections brought in from the outside, it’s equally critical to block unexpected outbound activity.

4. Public facing websites. Any machine that touches the internet has the potential to be targeted for attack. We’ve implemented proxy servers/web application firewalls on most public websites.

5. Identity and Access management. Managing the ever changing roles and rights of individuals in a large complex organization with many partners/affiliates is challenging. If an affiliate asks for access to an application, how do you automatically deactivate accounts when users leave an affiliate, given the lack of direct employment relationships?

6. Anti-virus. The best anti-virus applications only catch about 50% of malware. Thus, a multi-layered defense is required. However, adding all those layers impacts performance and can result in false positives. Balancing security, reliability, and performance is challenging.

7. Security awareness. When that phishing email arrives asking users for their username/password, social security number, and a DNA sample, some people still fall for it. Many users surf sites that are known virus distribution sites. Even social networking is a vector for malware.

8. Keystroke loggers and screen scrapers. Mobile devices and home computers beyond IT control may contain keystroke loggers that capture user credentials, bypassing encryption, VPNs, and other layers of security.

9. Forensics. Increasingly sophisticated security infrastructure implies more events to research which requires additional staff that are challenging to find, recruit and retain.

10. Third party desktop software. It’s no longer the operating system that presents the greatest risk, but security holes in Java and Adobe products such as Flash.

Security is journey and you’ll never be done. The hope is that your risk profile improves over time as more of the environment is locked down, creating a restrictive rather than permissive infrastructure which makes services available by exception to the minimum extent necessary while balancing security and ease of use. As I’ve said before, this is a Cold War at a time when Meaningful Use encourages more data sharing and breach reporting/regulatory penalties are increasingly severe. All you can do is your best, given fixed resources and time. And try to get some sleep.

John Halamka is Chief Information Officer of Beth Israel Deaconess Medical Center and blogs at Life as a Healthcare CIO.