June 28, 2012

Initiative enhances security of clinical workstation computers

Initiative enhances security of clinical workstation computers

Web monitoring and filtering systems have been installed on all of Vanderbilt University Medical Center’s 6,200-plus Clinical Workstation (CWS) computers to help protect the integrity and confidentiality of information that is stored on these computers.

A CWS is a computer used by multiple faculty and staff with centrally managed operating systems and administrative controls over application access and desktop settings. These workstations are located on patient floors in the hospitals and clinics and are used to deploy certain restricted clinical applications (like accessing patient information) under a single security shell. Users log in and out of CWSs many times every day.

More than 15,000 users have access to the CWSs stationed at the Medical Center and some of the outlying campuses. In addition to documenting information during a clinic visit or hospital stay, users frequently access the Internet on the workstations to verify or obtain additional information for patients (such as the location of a nearby pharmacy or patient education materials.)

“Our CWS users need some functionality for clinical business on the Internet,” said Monroe Wesley, MBA, director of Enterprise IT Risk/Informatics Security at VUMC. “But we’re also trying to protect our organizational assets.”

Web monitoring and filtering systems group sites into categories or classifications such as search engines, social networking, news, gambling, sports, etc. There are unrecognizable security issues with accessing some of these sites. One person accessing an infected website at a single workstation could corrupt the operation of that CWS, as well as potentially all 6,200-plus workstations.

Some categories of websites may be blocked on Clinical Workstations if they are related to malicious code or content, inappropriate content, security risks or violations, or non-work related content, Wesley said.

“Any of these types of sites can lead to data loss and/or productivity loss of the machine. The CWS environment is designed with layered protection against infectious and malicious attacks from the outside (antivirus programs), but the methods used by those with malicious intentions are becoming more creative and covert. There are ways to jump over the protection fences,” he said.

“It’s not uncommon for known good sites to contain infectious links or content, and when someone accesses those infected websites it can open pathways directly to the machine, allowing infections to bypass the layers of protection.”

Wesley said this is not an example of an organization using technology to manage its employees.

“We’re not trying to be ‘Big Brother.’ Some categories or classifications contain sites that are counterproductive to the design and specific purpose of the CWS and can cause severe performance slow-down on workstations. These monitoring and filtering devices narrow our risk window.”

Gaye Smith, Chief Patient Experience and Service Officer, said the Medical Center’s patients are at the heart of the added protection.

“Protecting the confidentiality and integrity of the personal health information our patients entrust to us from external attack or breach is required by federal and state laws and regulations, but more importantly it is the right thing to do for our patients,” she said.

If a site is blocked, faculty and staff members using a CWS will get a data box on the screen informing them of the blockage. They will then be given an opportunity to click on a site information form to submit to the Enterprise IT Risk team if there is reason to believe that the site has been classified inaccurately and should be unblocked. “This feedback process is important,” Wesley said.