SAN FRANCISCO -- A panel of healthcare security leaders say increasing pressure from users and management to allow access to social networking and Web 2.0 technologies is raising new concerns about keeping their IT environments secure.
The discussion at the 2010 RSA Conference offered a unique look at decisions faced by security directors charged with protecting the systems, data and the reputations of their organizations amid a growing business demand for access to sites and services like Facebook, Twitter and YouTube.
Frank Waszmer, information security architect at Health First in Rockledge, Fla., said he spent a lot of "years and tears" convincing management to implement more stringent security policies to protect against external social networking threats , only to face new pressure from marketing, doctors and others within the company who claim social networking access is increasingly critical to their jobs.
"So we're kind of turning the valve back a little bit" to allow some access to social networking sites, Waszmer said, "but the pressures are tremendous" because groups like marketing can put a dollar figure on the value of social networking tools. He added:"But I don't want to come back in the middle of the night and have to scramble to take 20 PCs off the network because there's a virus. We had that under control, but now we're going back the other way."
Allen Dawson, director of information security for John Muir Health in Walnut Creek, Calif., said his organization had been using a combination of Web and content filtering to block access to social networking sites. Recently, however, HR requested access to LinkedIn, and then his CIO wanted the organization to have a presence on Twitter, creating new questions about who should have access to which services.
After his organization installed Web traffic filtering technology a few years ago, Dawson said he was shocked to discover that nearly 70% of the organization's Web traffic was on MySpace. Users stopped attempting to visit the site once the organization blocked access, but when the filtering service would go down for just a few minutes, users would immediately take advantage of the opportunity to visit the site again en masse.
Conversely, Wayne Wright, information security specialist for the Manhattan-based Visiting Nurse Service of New York (VNSNY), said VNSNY maintains a strict policy that blocks its 4,500 laptops from accessing social networking sites and only allows access on a case-by-case basis.
"It's probably best to start off with a conservative policy for Web access and open it up as time goes on," Wright said. "If you start locking things down as you go, you're really going to run into some problems; people are going to be screaming."
Waszmer said security managers should engage executives and HR managers to help them understand the risks and set Web access policies for the organization. He also said HR and business managers should consider the productivity loss involved with allowing social networking access.
"A doctor wanted to sue me because I wouldn't let him go on YouTube to watch a training video," Waszmer said. "So we created policies for specific training sessions, but that's a lot of work."
But even with a policy and technology in place, if a popular website is infected, Waszmer said it can spread malware throughout an entire organization rapidly, citing the 2007 Miami Dolphins Stadium website hack during Super Bowl week.
"There are some dilemmas we're dealing with and it's not easy," Waszmer said. "Pressure from up top is tremendous to support the needs of the business, but then we have regulations and government saying if you have records that leak out, you have to go to the local media and say you had a breach. It's a tough balance, and technology is not going to always take care of everything."
Waszmer said these predicaments are similar with Web 2.0 technologies and cloud-based services. Users continue to demand access to these services to improve collaboration or reduce IT costs, but they don't understand the increased risk of data loss that comes with that access.
Wright said from a technology perspective the best defensive approach involves layering traditional firewall and antimalware technologies with data leakage prevention (DLP), security information and event management (SIEM) and content filtering.
"So it's not just one thing, but there are many layers, and if one doesn't catch it, another will," Wright said. "You'll never be 100% secure, but you just have to be reasonably comfortable."