The experts of Moscow Polytech disclosed main vulnerabilities in protection of medical informational systems
The specialists of the Department “Information Security” of the Faculty of Information Technologies of Moscow Polytech presented the analysis of key vulnerabilities in the system of medical data protection and have developed practical recommendations on their elimination. The report on this topic was presented in the framework of International case-championship “Medical Analytical Platform”.
Special attention in the report is paid to the protection of local networks of medical institutions, to inculcation of certified protection means and regular audit of security. The experts note that these measures become more topical in the light of the latest changes of legislation about strengthening responsibility for the leakage of personal data.
In the course of the report, the specialists marked critical points in the system of medical data protection and submitted a set of measures on the prevention of leakage of confidential information. The analysis covered all levels of medical information systems – from federal databases up to local equipment of hospitals.
The key factor of protection, according to experts, is the correct adjustment of local computational networks of medical institutions. It is important to provide a network segmentation, separation of the access to various types of medical data. Thus, for example, the information from the laboratory equipment for emergency diagnostics should be stored separately from the administrative systems.
The second important aspect – is inculcation of certified means of information protection. The experts recommend using specialized solutions for monitoring and analysis of the degree of protection of medical information systems. At the same time, the software must match the requirements of the Federal Service for Technical and Export Control (FSTEC) of Russia, stated in FSTEC orders No.17, No.31 and No.239. It is especially important to provide data protection in the systems related to making diagnosis and prescribing of treatment.
The third key element is a regular audit of security. Medical institutions need to assess the security of information systems at least once a quarter. This will allow to timely reveal and eliminate potential vulnerabilities in the systems of storage and processing of the patients’ data. In the course of such checks, special attention should be paid to the analysis of the access logs, revealing of non-standard actions of users and to testing of the protection mechanisms.
Considerable attention in the report was paid to the protection of specialized medical equipment. In particular, the system of radiation diagnostics and therapy require special measures of security, as they directly affect the diagnosis and the course of treatment of patients. The specialists recommend introduction of the multifactor authentication for the access to such an equipment and providing encryption of the transferred data.
In addition, the experts underlined the importance of protection of federal information systems in the sphere of healthcare, including the Unified State Information System (USIS). For these systems, it is recommended to introduce additional mechanisms of access control and monitoring of users actions, as well as regular renewal of protection means in accordance with newly revealed threats.
The important aspect is the issue of security of the laboratory information systems. Taking into account critical importance of the laboratory research results for making a diagnosis, it is necessary to provide not only confidentiality of the data, but also their integrity, as well as accessibility for the authorized medical personnel.
Reference: Faculty of Information Technologies of Moscow Polytech organized International case-championship “Medical Analytical Platform” jointly with companies “Garant”, “Consultant Plus”, Moscow Bar Association, SSS of MSU named after Lomonosov, SSS of HSSA of MSU named after Lomonosov and other partners.
