Healthcare CIOs Struggle to Secure Networks

John Halamka remains compulsive about his network for good reason. Having endured one of the worst health-care IT network outages ever last November at Beth Israel-Deaconess Medical Center, the CIO of CareGroup in Boston checks his entire network each night from home before he goes to bed. He does it again when he wakes up.

Since that network outage (see “All Systems Down” at www.cio.com/printlinks), Halamka has added some structure to the medical center’s networking policies and has refreshed some of the staff’s network management skills. But other than that—and a Slammer virus network infection on Jan. 25—Halamka continues to pursue new applications for patient care, and spreads himself as far and as thin as he possibly can with supply chain, asset management and other projects. “Our [new] application efforts are more intense than ever,” he says.

This indeed has been an intense six months for health-care CIOs in general, judging by some very public incidents (see “Health-Care System Snafus,” Page 22). Add to that the SQL Slammer virus attack that infected the six-hospital Covenant Health network based in Knoxville, Tenn., and you’ve got an infirmary full of IT applications and infrastructures needing attention. Stat.

“All of this takes on an added sense of urgency in our industry. It’s more than an inconvenience because it impacts the delivery of care,” says Frank Clark, senior vice president and CIO of Covenant Health, who watched “the insidious Slammer,” as he calls it, take over his network.

It took only two minutes, in the wee hours of a Saturday morning in January. After bouncing off Covenant’s firewalls, the worm later struck again. This time it burrowed into a prescription computer system through a single open port connected to a trusted technology partner. It took 12 hours to flush the worm from Covenant’s systems. The six hospitals resorted to manual care.

“It could have been much worse if it had been a weekday,” says Clark, who tells of the Slammer ordeal in an e-mail reacting to Halamka’s story. Clark titles the missive “Misery loves company.” So what’s going on here? Are these incidents just plain bad luck, or are we seeing symptoms of a larger problem?

“Health care has taken quite a rap in IT investment and IT leadership” on a national level, says Elliot Stone, head of the Massachusetts Health Data Consortium, a group of health-care CIOs in the state.

Stone says these CIOs are being asked to use technology to improve care while also cutting hospital costs. These goals may conflict. At the same time, “we’re talking about an industry that clearly has constrained financial resources” to begin with, Stone says.

Health-care CIOs must navigate a complex skein of regulations, doctors, hospitals, clinics, pharmacies, patients and insurance companies. And complex are the networks that connect them all.

Covenant Health’s case is a good example of this interdependence. Clark’s infrastructure nearly stopped Slammer. The partner company that infected his network told him its own network was infected by yet another partner. Other health-care CIOs Clark knows say Slammer slammed them when employees accessed networks from home. The trend worries Clark.

“We try to impress on people that outages will happen if this continues, but they don’t think it will really happen,” he says. “What you learn from this is that it doesn’t take much to affect health care. We were exploited by one little vulnerability and a crude virus that just overwhelmed everybody.”