Danger, Will Robinson!
An open letter from Chris Riegel, CEO, STRATACACHE to Mr. George Barrett, Chairman and CEO, Cardinal Health in response to Cardinal Health’s unveiling of their Pharmacy Health Network asking questions on network data security and the possibility of HIPAA privacy breach litigation.
Reprinted below with kind permission in its entirety…
Congratulations on the launch of the Pharmacy Health Network. The targeting of Out of Home Media in retail pharmacy is a very smart play. Tapping the marketing budgets of the ‘big pharma’ companies via your industry relationships to drive advertising sales into a specialty pharmacy network makes great sense.
There is just one problem…
The PHNTV.com website states that for pharmacies “The only items that you will need to provide are electrical power and a shared high speed Internet connection.”
Since your network is targeted at “independent and community pharmacies nationwide”, who likely don’t have a significant or sophisticated Information Technology staff, the shared high speed Internet connection and Local Area Network (LAN) connections that you will be using in most if not all cases is likely the same network that serves as the pharmacists LAN/WAN network within the retail store.
This presents a challenge to Cardinal Health and PHNTV because, under Federal HIPAA Security Rules, Pharmacies are considered “covered entities” subject to HIPAA security and all of the legal liability in the case of a data breach.
“A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.”
Because the PHNTV media player device is likely to sit on the same network segment as confidential patient information, any mildly capable hacker who is able to penetrate the digital signage player (especially one running Windows and using unencrypted HTTP transfers) now has a ‘rogue’ device within the trusted Pharmacy Network segment from which they may attempt to access confidential patient information.
While the Digital Signage industry as a whole has been wonderful in promoting the benefits of Digital Media in the retail experience, many in this industry have been completely asleep at the wheel when it comes to properly designing and advising their customers on the security risks of deploying the systems and the potential liability that this brings to all companies involved with the offering.
Please don’t interpret this missive as an attack in anyway on the idea. The idea of a pharmacy advertising network makes sense. I simply seek to raise the significant security risks across our industry of deploying a third party system in any trusted medical/healthcare network where your devices may (by design or inadvertently) be on the same network as confidential medical information. I wouldn’t want this to be the “Canary in the Coalmine” example we all look back on in 10 years and recall as the great big lawsuit that made security a real topic in Out of Home digital.
This issue is easily solved in 1 of 3 ways:
- Dedicate a completely separate Internet link and LAN switch to the PHNTV device.
Isolating yourself from the privileged network eliminates any risk of data breach.
- Establish a private, highly secure dedicated VPN or Secure MPLS type network link to each pharmacy site and ensure your digital signage application uses high security protocols, operating systems and hosting environments.
- Use a technology such as cellular connectivity to keep the PHNTV device ‘off net’ and out of reach of the bad guys.
Any of these options will insulate Cardinal Health from liability for data breach, however, each will add noticeable costs to the operating model over the life of the system.
Unfortunately, many of the other Out-of-Home networks that target the medical sector use the same approach of ‘riding’ the health care provider’s network to lower their operating costs. On the surface, this makes sense for the network operator as it significantly lowers their cost of deployment, but the short term savings could easily lead to a massive liability for the breach of confidential patient data if a motivated hacker decides to penetrate the network and uses lightly secured (or totally unsecured) digital signage devices as the weak link.
As HIPAA privacy breach litigation is becoming a hot new legal specialty (Google the phrase ‘HIPAA data security lawsuits’ and you will see 19,900 entries), this represents a real business risk.
I thought it worthy to bring this matter to your attention before a class action team of attorneys in Texas delivers the message in a much more impactful way. While I am sure that Respario and Real Digital Media could also be targeted in any HIPAA privacy action around PHNTV as well, clearly, a company the size of Cardinal Health presents a very interesting target for litigators as the 18th largest company on the Fortune 500 list.
Like Cardinal Health, my company STRATACACHE is an Ohio company. We Buckeyes have to look out for each other, and I hope that this message saves you a future painful meeting with your Chief Legal Counsel.
See ‘Summary of the HIPAA Privacy Rule’ here
August 13th, 2009 at 15:06 @671
How about a simple VLAN?
August 13th, 2009 at 16:02 @709
While logical, how many Pharmacists do you know that can configure VLANs on the average Netgear DSL or Cable Modem box…?
August 13th, 2009 at 16:29 @728
I’m no lawyer, but I don’t think the technical approach RDM uses to communicate with their boxes will fall afoul of HIPAA DC best practices. If they start *collecting data* from those sites, *then* all sorts of bad things will happen.
August 13th, 2009 at 16:47 @741
Well the simplest form of ‘VLAN’ which is usually baked into a lot of WiFi AP’s is AP wireless isolation where the clients connecting cannot see anything connected to the LAN or other WiFi users. Many can even easily isolate the 4 ports on the back from each other. So easy to configure by a tech (even remotely) but I take your point.
The point I was trying to make was – its a MUCH easier solution than your first 2 options – there are less draconian ways.
August 13th, 2009 at 18:36 @817
Thank you very much for putting this letter together for all to see. While the specific applications on how to separate the data we can debate upon, it is important to ensure that companies do ensure that these safeguards are in place, whether we are talking about a federally mandated security precaution, or one that just makes sense (like say banking data at a retail or financial institution).