The physical perimeter of the UConn Health campus in Farmington, Connecticut, is much like the virtual one chief information security officer Tom Murphy maintains every day. It’s there, but it’s more open, with new data flows passing in and out freely. The challenge then becomes how he can protect data as sensitive as patient and research information in that kind of an environment.
“My role—and the goal of my organization—has shifted from building a moat around the castle to managing risk down to the device level,” Murphy says. “Insider threats like worms, Trojan horses, and phishing attempts are increasing at a time when we have to maintain more outside access to keep research and business going. All the while, there are regulatory requirements around how to protect patient data.”
Threats can come from anywhere at any time. Murphy mentioned the struggle that many hospitals are having with ransomware, malicious software designed to block access to a computer system until a sum of money is paid. According to the 2016 Intel Security Data Protection Benchmark Report, the healthcare industry is averaging nineteen data-loss incidents per day.
The UConn Health System hasn’t been hit by ransomware, but the threat is there because the campus includes UConn John Dempsey Hospital. In all, there are fourteen physical locations where researchers, staff, and doctors move about during a typical workday.
“I can build a secure environment on campus and allow data to flow into and out of it, but now, data goes out to medical device vendors and cloud storage providers,” Murphy says. “It’s a much bigger corral.”
As a result, the leadership team includes Murphy in all meetings about any major project they’re considering. Security breaches not only mean potential monetary loss, but they also scare away patients. It’s bad for business on many levels.
“It’s a foregone conclusion that information security analysis has to be done,” he says. “We’re there from the beginning, in lockstep with whatever initiative they’re discussing. That means more work, but we’re happy to do it.”
“My role has shifted from building a moat around the castle to managing risk down to the device level.”
One big project Murphy and his team recently completed is the encryption of devices used by UConn Health employees. Even their personal devices were encrypted. “Our original encryption effort was based on the governor’s order that all state-owned laptops be encrypted,” Murphy says. “We quickly realized all the small-form factor and fixed devices posed the same risk, so we expanded to include them.”
There were many benefits to this effort, including meeting HIPAA requirements to achieve safe harbor status for lost or stolen devices. Grant funders also liked knowing that all research data would be encrypted, keeping their investments safe.
With so many devices to cover, Murphy was able to get a good deal on encryption service products, and UConn Health became an early adopter of new mobile device encryption technology. Murphy wanted the latest technology for mobile devices in particular.
“We saw a trend of university-owned smartphones and tablets moving to Apple iOS,” he says. “People went quickly from old flip phones to carrying devices that are effectively computers.”
Soon, many of those smartphones weren’t university-owned. Murphy says doctors and researchers disliked carrying around two devices—one for work and one for personal use—to communicate, so they chose to do it all on their personal devices. Murphy had to convince them that encrypting their personal devices was the right thing to do.
“We developed a bring-your-own-device, or ‘BYOD,’ methodology, and expanded our deployment with a self-enrollment page,” Murphy says. “By enrolling employees for access to our data, we were also accomplishing more security through encryption on their personal smartphones or tablets.”
Now, not only does UConn Health have about seven thousand encrypted, state-owned computers, it also has safeguarded more than 2,500 smartphones and tablets. Those mobile devices include innovative technology that allows Murphy and his team to pull off work-related data should the device get stolen or misplaced, or when an employee leaves.
The encryption project was a Herculean accomplishment, but Murphy knows it’s just the beginning. As part of a program aimed at improving the cybersecurity of medical devices, he is increasingly involved in discussions with medical device manufacturers about new devices with wireless connectivity. A few are even implanted within the bodies of patients. Murphy says UConn Health has some fifteen thousand medical devices, many of which are connected to its wireless network. A denial-of-service attack on one of those devices could have a very negative impact on patient safety.
“One example is an implant that measures the blood pressure of the femoral artery, a device which uploads that data using cellular technology to a cloud-based network,” Murphy says. “It can detect congestive heart failure twenty-one days before symptoms appear. These devices are playing an active role in the health and safety of humans. There’s no room for error there.”
“It used to be just science fiction, where people could take control of technology and control medical implants, but the train is headed in that direction,” he adds.
Given the weight of his daily responsibilities, Murphy even maintains a connection with the FBI. In the wake of 9/11, he became part of a public-private initiative called Infragard. Murphy and other security professionals meet regularly with FBI agents to discuss trends and challenges in cybersecurity.
“Modern incident response to a public safety event like a terrorist attack includes a large amount of technology, and securing that is critical,” Murphy says. “UConn Health is a state public health institution, and we have a significant role in incident response.”
In preparing himself and UConn Health to respond to any potential cybersecurity incidents, Murphy is also preparing to help his country should it come to that—though he hopes it won’t. But if his job has taught him anything, it’s that threats can come from just about anywhere.