For health care companies of all sizes, security management has become a monumental task. IT managers must ensure compliance with federal regulations governing the use and distribution of digital patient records and secure claims-transmission procedures. Sharp HealthCare uses a combination of software for desktop security management.
The San Diego-based nonprofit provides health care services at four acute-care hospitals, three additional specialty hospitals and two affiliated medical groups. Its users include 2,600 physicians. With 900 applications residing on 14,000 desktops, Sharp HealthCare's IT managers have their hands full.
Although the bulk of those applications are clinical, Sharp also uses Microsoft Office, Internet Explorer and Outlook, all of which are vulnerable to threats such as malware, spyware and viruses. Email and Word documents can contain sensitive patient information, as well.
Sharp uses AppSense and LANDesk software to monitor user rights and lock down desktops, among other security-related operations. In turn, these capabilities can increase user productivity by eliminating the threat of invasive code on the server.
"We have to conform to regulations like HIPAA [the Health Insurance Portability and Accountability Act], and this becomes very complicated," said Aaron Ortiz, manager of enterprise device architecture at Sharp. "The main concern is the rate at which the technology we use has advanced, including social networks where users share photos and documents. We have to manage security across technologies and determine what data is appropriate for sharing."
Health care providers are not the only organizations that are dealing with threats originating on the desktop that can disrupt the enterprise. Companies across industries should aim for application flexibility without interfering with security, according to David Johnson, an analyst at Cambridge, Mass.-based Forrester Research Inc.
"A Word document or Excel spreadsheet with an embedded macro can include malicious code, and users can run that by mistake and without their knowledge," Johnson said. "Any application running on Windows -- including those with Java and Flash -- is vulnerable simply by how that OS works. Office is as vulnerable as any desktop application on Windows."
Sharp applies AppSense to reduce security management pain
Sharp uses AppSense's Application Manager product to avoid security threats from malware. The task remains a challenge, whether users access enterprise applications on desktop PCs or with mobile devices. Security policies should be designed to allow administrators to install only trusted applications and prevent users from tinkering with installation processes.
"If we give users complete access to computer resources on the server, viruses are a big concern," Ortiz said. "AppSense helps us minimize that threat by removing admin rights, and it also removes access to applications users should stay away from."
More on desktop security management
Java and fileless malware pose new security threats
Locking down Windows devices with Group Policy settings
Using Microsoft Security Compliance Manager for protecting desktops
Watch out for supercookies, another threat to desktop security
Endpoint defense requires more than Windows security scans
Microsoft's free Attack Surface Analyzer can find vulnerabilities
IT managers use AppSense to lock down the desktop and apply a corporate security policy. For example, IT doesn't want users of Internet Explorer to download ActiveX, which has been called a virus in itself. Because it is built into a browser, when ActiveX is enabled, it could allow any webpage to take control of a desktop PC.
Outlook presents its own desktop security challenges. Organizations should control user signatures for every email sent outside the company. Sharp uses AppSense to get around problems associated with generating standard signatures for different operating systems.
"Using AppSense, we can apply user preferences such as Outlook signatures dynamically, on the fly," Ortiz said. "This could be on Windows XP, or after we migrate to Windows 7 and beyond. We apply certain user changes, and they're OS-agnostic."
For software installation on the desktop, Sharp takes user administration rights from users to reduce threats of all kinds. AppSense also monitors installation processes.
"When a user calls into the help desk after they run into an installation issue, we can automatically evaluate the application on the back end," Ortiz said. "Many users don't have admin rights, nor do they have privileges to install applications. That's partly to mitigate the potential for malware and viruses to enter the server"
Using LANDesk to enforce desktop security policy
Sharp uses LANDesk Security Suite to complement the security features in AppSense. The PC-based software is designed to help reduce both internal and external vulnerabilities. IT managers can establish and enforce security policies governing encryption on desktops, laptops and mobile devices. The goal is to ensure compliance, maintain application performance and reduce administration tasks.
Using LANDesk, as with AppSense, Sharp's IT managers can lock down devices to stop the spread of malware and other threats. Adobe and Microsoft applications are a concern, Ortiz said, but LANDesk can automatically install patches to various apps.
"LANDesk also gives us visibility into how many PCs access server-side applications and what's installed on the desktop machines," he said. "Even though most of our 900 applications are clinical, we can still manage updates and patches. With Office, we can also make sure we are up to date with current patches."
The cloud brings its own security problems
Use of the cloud by a wireless device, especially smartphones in bring your own device (BYOD) situations, presents other security threats. Users can easily place sensitive patient information in Dropbox or similar shared file folders, said Forrester's Johnson.
"If an employee can put Medicaid information in a Dropbox folder, that's vulnerable," Johnson said.
At Sharp, many clinicians can access the Internet from mobile devices without any blocking. At the same time, IT staffers must ensure certain users can't access data that is inappropriate for the cloud because of HIPAA restrictions.
"As part of our BYOD policies, there's a lot of concern about data leaving the network and residing in the cloud," Ortiz said. "For example, patient IDs can't get outside the server environment and reside in the cloud. If this happens, IT people in charge of security actually call users to tell them they're sending patient data across to the cloud, which they're not allowed to do."
As with clinical applications, Sharp HealthCare must be sure its desktop security policies cover when a smartphone user stores a Word or other document containing patient information in the cloud.