Healthy networks

The hospitality and healthcare sectors are experiencing tremendous growth in the Middle East. With that growth comes an increasing amount of confidential information that needs to be secured and protected.
Healthy networks
“We are in compliance with the highest EU standards of communication and data privacy.” Dinto Joseph, IT Manager at the Radisson SAS Hotel
By Sean Robson
Mon 20 Apr 2009 04:00 AM

The hospitality and healthcare sectors are experiencing tremendous growth in the Middle East. With that growth comes an increasing amount of confidential information that needs to be secured and protected.

Among the region’s fastest growing verticals are the healthcare and hospitality sectors. As these sectors continue their upward swing, more and more information is being created, particularly about patients and guests, which is not only valuable but also frequently of a confidential nature. It is up to the region’s IT professionals and vendors to provide the safe and secure environments users expect and demand.

“The valuable data and information assets related to patients, medical research and intellectual properties are making it necessary for healthcare organisations to be on guard and apply the principle of control, confidentiality, integrity and accountability,” explains Harish Chib, vice president of new business development at Cyberoam.

“I think that there are two specific aspects of data security that hospitality and healthcare are looking at. One is the traditional security when securing access from outsiders into the internal network through traditional securities like firewalls, access prevention, anti-virus and anti-spam,” says Judhi Prasetyo regional channel manager, Fortinet Middle East.

“The second one is from a compliance and data leakage and data theft perspective. There needs to be a lot more done in the second aspect which is dealing with data leakage and information prevention,” Prasetyo continues.

Up to now

Security in the healthcare and hospitality industries has been undergoing a steady evolution in recent times, as data that was previously not collected or held in hard copy format only, has been transferred to electronic form. Many enterprises though continue to protect themselves through traditional technologies but the rapid escalation of the demands made by regulation and compliance is changing that.

The valuable data and information assets related to the patients, medical research and intellectual properties are making it necessary for healthcare organisations to be on constant guard and apply the principle of control, confidentiality, integrity and accountability.

Greg Day, security analyst EMEA for McAfee has seen the emphasis begin with technology and the subsequent shift in understanding around security. “Technology can be used in every area, from critical to trivial, and in each instance, it is essential that there is an understanding of how and why it is being used, what the potential threats are and what they would mean in terms of business impact. Over the course of the last few years, we have seen a growing focus on understanding and managing the data being collected, stored and shared.”

According to Bulent Tescoz, security expert at Symantec, just a few years ago the prevailing wisdom was that having a firewall at the perimeter was good enough but the focus has since moved towards end-point solutions and building on the standard technologies.

“The industries now realise that having an anti-virus solution is not enough because they acknowledge that this is actually a reactive way of doing this. The healthcare industry is a business today; in the region network access control (NAC) is a hot topic right now with industry standards also becoming more important,” elaborated Tescoz.

Many end-users still rely on the best available technology while making a pre-emptive move to reach international standards of compliance. “We have strict access list on router level, secure anti-virus as well as restricted USB access. We are in compliance with the highest EU standards of communication and data privacy,” points out Dinto Joseph, IT Manager at the Radisson SAS Hotel, Dubai Media City. Weapons chest

There is no doubt that the threats faced by healthcare and hospitality are not just on the increase but become more sophisticated almost by the day. In response to this security vendors have to deliver more effective solutions and technologies to assist the IT professional in the battle against malicious attack.

“Across the world there is a major push to move towards electronic medical records, the availability of these electronic records is enabling medical professionals to access these records from wherever they want, they no longer need to be at their desks. What they want is a secure solution so that they are able to log in and get access to it no matter where they are. So a secure remote access solution is becoming very important,” says Sanjeev Gupta, general manager, enterprise business solutions, Nortel.

Technology can be used in every area, from critical to trivial, and in each instance, it is essential that there is an understanding of how and why it is being used and what the threats are. We have seen a growing focus on understanding and managing the data being collected, stored and shared.

Fortinet’s Prasetyo discussed his company’s newest security products aimed at the healthcare market. “We are seeing a lot of interest in our database security and firewall products. FortiDB is aimed at database security and is an assessment as well as auditing and monitoring tool for the database. FortiWEB is special firewall built to defend net application servers.”

Guru Prasad, general manager for networking at FVC says that the value added distributor now offers a number of solutions aimed at data leakage issues. “On the data leakage side and the data privacy side we have partnerships with Google where we offer DLP as well as e-mail and web security technologies. On the compliance side we have a product that addresses the data vulnerability as well as the data leakage compliance access control issue.”

When it comes to looking at what products have found, the most traction with users Prasad has seen a mature progression in terms of adoption. “We have seen a lot of traction with e-mail and web security, I think a lot of the leakage and threats that healthcare and hospitality see are from trojans, spams and phishing attacks. The natural progression from that point is towards looking into data loss prevention,” Prasad elaborated.

“Organisations face many blended threats today so they are favouring a unified approach that protects their networks and business users from the blended attacks and technology misuse,” says Chib of Cyberoam.

According to Chib another factor driving the overall UTM security industry today is compliance. “The basic tenet of all compliance acts demands that a security process be in place to guard against unauthorised access, use, disclosure, modification, or interference with system operations. In fact, UTM like Cyberoam makes compliance unbelievably easy as it provides the ability to collect, aggregate, correlate, and report the event data with its on-appliance reporting module,” says Chib.

Obstacle course

Vendors of security products aimed at the healthcare and hospitality sectors admit that there are a number of challenges that they are faced with when it comes to providing solutions to the region.

“The biggest threat is the pace at which they adapt to protecting their network as opposed to the pace at which the threats are emanating. It’s a case of how quickly they can ensure that the data and networks are secure,” says Prasad.

Regulations loom: HIPAA Statute & Rules

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.

At the same time, The US Congress recognised that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).

Prasad notes that while the bigger healthcare providers are gradually adopting security standards, it remains an issue with the smaller organisations who are less focused on ensuring processes and standards are implemented.

“The unique security challenges actually begin with the compliance itself. When there are no regulations, be they industry regulations or security regulations that enforce compliance, problems begin to occur,” says Prasetyo.

Tescoz though, believes that challenges facing the region are not unique but instead faced worldwide. “Businesses are looking to optimise their existing security deployments to maximise the budget available for new projects, such as tackling the data control issue. The regional variation is often the result of the level of pressure being applied by local legislation and geo-political considerations,” says Tescoz.

Money, money, money

Spending on IT solutions and products is less robust than in recent years with the financial situation for many organisations tenuous at best. The industry veterans though do not anticipate a significant decrease in spending.

“I believe security is not something that you can compromise. You do not want to compromise the security and potentially lose your business. It is now more than ever though a matter of assessing your assets and deciding which one requires more protection,” says Prasetyo of Fortinet.

Nortel’s Gupta agrees that the security market will remain relatively untouched by the global slowdown. “Despite the current market conditions healthcare is still growing. There are projects being put on hold but if you talk to anyone in healthcare you will hear that security is such an essential part of what they do and they will not readily compromise on it.”

When it comes to allocating budget towards security spending there are a number of equations and recommendations out there.

“I would say that security budgets are anywhere between 20 to 25% of the overall IT budget and we see that increasing more and more. I think that especially in the current environment we will see a lot more continued spending on security whereas infrastructure has slowed down quite a bit,” says Prasad.

McAfee’s Tescoz, believes that a thorough assessment needs to be done before settling on a percentage to be allocated. “Spending is dependent on the current state of security in each country and on the risks identified by the organisation as part of its specific risk assessment process,” he says.

Over at the Radisson SAS Dinto Joseph and his team have, after careful consideration, allocated approximately 10% of the total IT investment toward securing the network and systems.

“Quite simply put security is as important as a disaster recovery plan. In the hospitality sector we operate 24/7 hence any interruption related to a security breach will affect our business,” emphasises Joseph.

The hospitality and healthcare sectors are clearly amongst the fastest growing industries in the region The security industry together with the IT professionals face unique and complex challenges but by working together they can, and must, form a strong united front against future attacks.

Success story: Emitac offer regional flavour

Emitac’s Healthcare Group has successfully deployed IT solutions across the region including in leading government and private hospitals. The UAE’s first clinical information system (paperless ICU and OBG) which was implemented in Tawam hospital in 2000 was further expanded and upgraded in 2006 and 2008. The CIS implementation has been facilitated at Tawam hospital in order to ensure compliance.

Additionally, Emitac Healthcare IT introduced the Voice Dictation and Voice Recognition system into the UAE healthcare sector and successfully implemented it in hospitals like Tawam and the American Hospital.

Emitac is currently maintaining and providing 24x7 technical support to existing HIS systems at all Ministry of Health hospitals in the region.

The IT solution is designed and integrated with a comprehensive set of tools and options to promote operational excellence. These systems are designed to enable connectivity and interoperability across clients’ departments and functions, thereby delivering maximum productivity and less redundancy.

Healthcare automation and change work flow process has been a big challenge in bringing people together on a successful implementation. Emitac believes in transforming healthcare through people, process and technology.

The JCI accreditations and quality control process implemented by government of Dubai and Abu Dhabi has made a mandatory requirement for healthcare providers to implement an IT system to improve the patient safety and provide online data for quality control.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.