8/7/2019 13rwc2

1/1

hether balancing the needs of security withthe push for greater access to data, copingwith government mandates, or planning for

possible budget cuts, IT security managers have theirhands full. Frank M. Richards has been scrambling to dealwith those challenges. As CIO at Geisinger Health Systems(www.geisinger.org), a health care network in Danville, Penn-sylvania, that serves more than 2 million people, he faced anApril 2003 deadline for compliance with the U.S. Health In-surance Portability and Accountability Act (HIPAA). The lawrequired health care organizations to safeguard patient datafrom unauthorized access and disclosure. But HIPAA set goalswithout giving specics on how to get there, so Richards hadto balance the legal requirements with a demand from healthprofessionals for ease of access a daunting challenge.

This can be particularly problematic in the medicaleld, where care providers are under tremendous time pres-sures, he says. Understanding workow, assessing risk, andeducating users are all key components of a security systemthat achieves the correct balance between access and control,he says. Geisingers Electronic Medical Record (EMR) pro-gram focuses on easing access to data. It lets physicians at 50clinics use mobile devices to order medications, receivealerts, enter patient progress notes, and communicate withpatients. Another program, MyChart, lets patients accesstheir medical information via the Internet.

Both programs raised security issues. For example, secu-rity needs dictated that the database that powers MyChart

be installed on hardware separate from the EMK system.Richardss staff is also evaluating biometric and proximity devices as ways to streamline secure network access. Andcaregivers accessing patient information via the Internetwill be required to use electronic token identication in addi-tion to a virtual private network or other encryption method,he says.

Richards expects security technologies such as intrusiondetection systems to nally begin delivering on their prom-ises. Inadequate analysis tools, incompatibility with existingnetwork management software, and inability to handle largevolumes of data have combined to keep us from deployingthese security tools until very recently, he says.Du Pont Co. Process control networks are one of the essen-

tial applications of IT in manufacturing environments. Forexample, more than 2,400 oil, natural gas, and chemicalcompanies in the United States employ process-control net-works in their manufacturing systems. Other heavy users of process networks include the power, water, food, drug, auto-mobile, metal, mining, and manufacturing industries. Forexample, process networks in the chemical industry controlchemical-making equipment and monitor sensors. If any-thing goes wrong, such networks react by adjusting the envi-ronment in predened ways, such as shutting off gas ow toprevent leaks or explosions.

One company thats taking process network security seri-ously and involving IT is Du Pont Co. (www.dupont.com) inWilmington, Delaware. Tom Good, a project engineer at thechemical manufacturer, has been leading its 20-month-oldeffort to categorize and reduce its process-control systemvulnerabilities. Du Ponts philosophy for dealing with thisproblem, he says, is that On all of our critical manufacturingprocesses, we are either going to totally isolate our processsystems from our business systems by not connecting ournetworks, or were going to put in rewalls to control access.

To tackle process-control network security, Good says DuPont formed a team made up of IT staffers, who understandnetworks and cybersecurity; process-control engineers, whounderstand the process-control equipment; and manufacturingemployees, who understand manufacturing risks and vulnera-bilities. To give the three groups visibility, each reports to aseparate member of a committee thats leading the effort. Theteam rst discerned which control devices are critical to man-ufacturing, safety and continuity of production. Next the teamidentied the assets of each hardware, data, and software ap-plications then researched relevant vulnerabilities. Only thendid it begin the arduous task of testing xes and workaroundsto see which ones might work for which machines.

Even in a manufacturing environment that uses similarprocess-control hardware and software, precise vulnerabili-ties differ by environment. Dealing with a water treatmentprocess on efuents out of a plant is considerably differentthan dealing with a production operation, where you might

be dealing with vessels under high-temperature and high-pressure conditions, says Good. On the basis of its research,the team is also deciding how to separate networks andwhere process-control rewall appliances should go. Thegreater cost is in the network equipment and reengineeringactivities to separate networks and place critical process-control devices together on the clean side of the rewall,says Good. The challenge for us is to accomplish these taskswhile keeping the processes running.

Case Study Questions1. What is Geisinger Health Systems doing to protect

the security of their data resources? Are these measuresadequate? Explain your evaluation.

2. What security measures is Du Pont taking to protecttheir process-control networks? Are these measuresadequate? Explain your evaluation.

3. What are several other steps Geisinger and Du Pontcould take to increase the security of their data and net-work resources? Explain the value of your proposals.

Sources: Adapted from Dan Verton, How Will You Secure YourCompany Data? Computerworld,January 6, 2003, p. 24; andMathew Schwartz, Wanted: Security Tag Team, Computerworld,June 30, 2003, pp. 3840.

456 Module V / Management Challenges

W

Geisinger Heal th Systems andDu Pont : Securi ty Management

REAL WORLD

CASE 2