By Ken Khouri
Director, Software Support & Managed Services
Varian Medical Systems
The pace of cyber-attacks against healthcare providers has been accelerating. Not only has the amount of stolen data soared but the method of attack is changing from stealing to ransoming data - encrypting it and then charging a fee to de-encrypt the files. On May 12, 2017, WannaCry, a global ransomware attack, grabbed headlines around the world when it impacted some 200,000 systems in 150 countries, according to press reports. Once infected, some users paid a ransom to unlock their data files.
Every healthcare provider is a potential target. Healthcare data has become a hot commodity because it’s often easier to acquire than data from industries with more robust protections. It is also considerably more valuable. In the first two months of 2017 alone, approximately 46 US healthcare providers reported breaches affecting more than 1 million patients.* Criminals are finding more ways to exploit stolen patient data, and even using it for fraudulent insurance claims.
From the start, banking and e-tailing addressed security as an integral part of the online customer experience, while healthcare focused more on interoperability, enabling providers to collaborate across boundaries. Engineering efforts have tended to focus on improving patient outcomes, rather than on data security.
The time has come for healthcare providers to give security a new level of focus. The tide is turning. The Office for Civil Rights is holding providers accountable by publishing breaches of privacy that affect more than 500 patients and sometimes by levying fines for not meeting reasonable security standards. The fines can add up, with the largest penalty among healthcare providers reaching nearly $6 million in 2016.
Healthcare providers are turning to their technology vendors and partners for help. Three years ago, Varian’s customers seldom asked about data security. Today it is a topic on the minds of every CIO and CMIO. They want to understand the risk that they're assuming when purchasing software or services from third parties. The US Food and Drug Administration (FDA) is also asking that vendors do more to mitigate the risk of cyber-attacks against their products.
Varian is also addressing the issue of tighter cyber security with ARIA® 15.1—primarily a “security” release of the company’s oncology information system. While we are a medical technology company and not a security company, the high stakes warranted a more proactive, systematic approach. That’s why we made the important decision to focus this ARIA release on security.
Varian has taken a number of concentrated actions on security. We shifted substantial engineering investment to security and hired additional domain expertise. We engaged multiple parties to conduct in-depth threat analyses on our core software and hardware products. We then took a risk-managed approach to making enhancements that introduce additional barriers to thwart anyone acting with malicious intent. Many of these enhancements are introduced in ARIA 15.1. It should be noted that, while these enhancements are primarily for ARIA, they result in security benefits throughout a fully-integrated Varian system.
ARIA 15.1 integrates directly with Microsoft Active Directory™ systems, providing users with the convenience of using their existing log-in credential throughout our system. Users of the Varian system can be authenticated directly against the central identity management system for a hospital or clinic. One set of credentials and one set of IT policies extend into Varian products. Users have one identity that is easy to manage and track.
Varian has taken a close look at the tools it uses to install software on workstations in client environments and has taken steps to reduce the potential for anyone to use those tools for malicious purposes.
Varian now requires all communication to the database to be encrypted. Malicious actors are unable to eavesdrop on traffic passing along the hospital network in and out of the database. This encryption works by way of SSL certificates managed by the hospital. Hospitals can implement different schemes with these certificates, including tying them to specific workstations.
Customers need to know if the integrity of their database becomes compromised. Varian has processes that periodically assess the integrity of the ARIA database and logs abnormalities. Varian doesn’t monitor the changes, but customers can if they choose. In time, our goal is to proactively monitor and alert customers to suspicious changes.
Web service access now requires additional verification from clients to prevent unauthorized access, making it more difficult for malicious actors to extract patient information from application program interfaces that exist for inter-connectivity reasons.
Well-executed spearfishing attacks are often successful at obtaining valid user credentials. Varian has implemented measures to disrupt attempts to extract patient information even if credentials are compromised. Essentially, we have employed defense-in-depth techniques with multiple layers of security to make getting or tampering with patient information much more difficult.
We have validated our software release to run with an industry-leading anti-malware platform. If customers do not have an anti-malware tool in place on the infrastructure where their protected health information resides, we can recommend one and ensure our software performs well in that environment.
SmartConnect® — Varian’s utility for diagnosing and troubleshooting technology problems remotely—has also been made more secure with the addition of stronger authentication processes. Varian has greatly reduced the risk of an unauthorized person using SmartConnect by deploying out-of-band (OOB) two-factor authentication. This requires service personnel to use their cellular phones as a second step in the authentication process. Any unauthorized person trying to enter the network via SmartConnect would not have access to an authorized cellular phone and so would be blocked.
While we cannot solve all the serious security challenges facing healthcare providers today, we are committed to helping where we can reasonably do so. ARIA 15.1 takes an important step forward to address the security concerns of our customers. It is our intention to continue making data security a central priority in product development and in how we manage our customer support processes.
* US Department of Health and Human Services Office for Civil Rights Breach Portal.
Enhanced security is big news for ARIA 15.1. However, it is not the only news. We have also included capabilities that align with the heightened security of this release.
Electronic prescribing of controlled substances. Electronic prescribing of controlled substances, which helps prevent abuse, cuts costs, saves time, and is permitted in all US states, but not all EMRs support it. ARIA 15.1 does. Oncologists can prescribe controlled substances in ARIA with added confidence in the enhanced security. (This functionality was first introduced with ARIA v. 13.7 in the US, and continues to be an important component).
Seamless information exchange with hospital EMRs. ARIA 15.1 employs a standard platform for interoperability with the information systems used by more the 4,000 US hospitals. ARIA Connect links the ARIA oncology information system (OIS) that radiation oncology departments use to manage workflow with the hospital information system (HIS) where demographic, clinical, and billing information resides and provides radiation oncology teams reliable, real-time, seamless access to up-to-date HIS information.
Up-to-date support for CMS Quality Payment Programs. ARIA 15.1 has built-in, ready-to-go data collection and reporting required for the evolving quality payment programs of the US Centers for Medicare & Medicaid Services (CMS), including the Oncology Care Model (OCM).
For more information, visit the ARIA OIS for Radiation Oncology and ARIA OIS for Medical Oncology product pages.