Wednesday, November 29, 2017

Any HIPAA security guru's got a moment for the hated vendor?

So for anyone in healthcare IT, I'm THAT guy now. The vendor who brings in a VM OVA file that was created in 2015, a bunch of desktop PCs, and network requirements from the mid 90's.

As a bit of background, I work for a rather large company that provides patient monitors to hospitals (the beepy heart monitors in your hospital room) and because we have people's lives on the line, our equipment has to be approved by the FDA for every facet of how it is touched. As such we have the following requirements

  1. Any and all security patches to our system must be first be tested by our R&D for any impact.

  2. No outside software can be installed without first being fully tested.

Now this seems sensible on the surface, but combine this with the fact that in order to ensure that our systems communicate issues to the nurses at the moment something happens, we have to be able to display the results less than a second after the event is detected.

This makes our latency requirements make voip look generous. Any latency of more than 30ms will break our system. Prior to the current version this was easy. We built the entire network connecting these systems ourselves separate from the hospital and connected only to send data that was needed over to the hospital. Unfortunately with the new ACA requirements, larger amounts of patient data had to be stored with the hospital so we began connecting our network to the hospital, or letting the hospital connect our devices to their network provided they could meet our requirements.

Unfortunately this is where I turn into the enemy. Our requirements are things like

  1. Antivirus is limited to two vendors and must be so disabled as to render them useless
  2. No form of snapshots can be done to any VM we issue, and no form of backups can be made beyond the one we provide.
  3. No group policies may be applied to the systems whatsoever.
  4. No external clients for malware scanning or similar may be installed.
  5. Remote support for our systems must be provided using our own custom remote solution that has been cobbled together from a handful of older, non supported solutions that the DOD once used.
  6. Most key, any security patches that do make it through our approval process show up a month and a half after they are released, and must be manually patched, which will likely result in a downtime for the patient monitoring system.

Now I've only been with this company for a little while, and I know the pain of a regular, non HIPAA, non PCI audit, and I know how much those requirements suck. I know that this is the kind of thing that screams Target's breach or Wannacry all over. The problem is that there is nothing I can do about it. My job with the company is to negotiate with IT to communicate these requirements, and ensure that they are met. I even have come to understand why these requirements have to be so ridiculous, but the problem I've come to you with is this:

*Is there a documented process to allow a HIPAA compliant system that cannot be patched to be approved? *

Obviously there are going to be systems that for whatever reason cannot ever be patched, cannot be ensured as safe, and have to be considered largely toxic devices. Embedded windows systems, legacy systems etc. We all have them and we deal with them by isolating them and locking them away from our network as hard as possible. Fortunately this is something I can support and actively encourage our customers to do, but Security is all about the CYA, and they need documented proof. They need exceptions and they need proven processes. So for any poor soul out there who's job it is to deal with this kind of thing, can you help me find a process that I can give my irate IT customers to help them C their As? Keep in mind that just saying stick us behind a firewall and lock us down to the absolute bare minimum required isn't what I'm looking for. That is of course what we need to do, but I need something with a bit more authority than my own dumbass self saying so.



No comments:

Post a Comment