As I mentioned in blog post last week, the e-Healthcare (Electronic Healthcare) industry is quite possibly a ticking time-bomb, for various reasons. And today, I read a memorable quote about the state of security in this segment (Neil Versel, InformationWeek):
“Electronic medical records haven’t fulfilled their promise of safer, more efficient, lower-cost care, and won’t until usability improves for physicians and nurses and until systems are more interoperable.”
Of course, this quote is regarding EHRs/EMRs (Electronic Health Records or Electronic Medical records, terms that seems to be used interchangeably in the industry) and their ability to simplify & streamline health record-keeping processes, reduces, costs, and improve healthcare quality – however, it is also true with regards to the security benefits that the entire e-Healthcare framework bring to the table.
Insofar as “usability” is an issue for EHRs/EMRs, so too is the fact that much of the healthcare industry is now experiencing another security conundrum with regards to mobility – many doctors and healthcare workers want to access patient data “on the go”, via their iPads, iPhones, and other mobile devices. If the IT staff has not properly planned for this contingency, serious security problems will definitely present themselves.
And to make mobility in the healthcare sector even more interesting, the FDA is now exploring the possibility of regulating mobile applications in the healthcare industry in the U.S.
Brian Krebs pointed out today yet another potential security nightmare facing the healthcare industry – compromised hosts which are controlled by criminals. Of course, Brian’s article reference spambots – particularly in the healthcare industry – but regardless of what type of bot it is, the point is that the end-system is compromised, and under the control of criminals. It could just as easily collect & exfiltrate data, login credentials, or modify critical patient records.
And this is where the real security fears in the healthcare industry can be realized – not just about the privacy of healthcare records from unauthorized prying eyes in the hospital, clinic, or other healthcare facility, but from out-and-outright theft, pilfering, or perhaps modification of patient medical records.
The possibilities for compromises here are real, and in reality could cost real lives.
This is an area where I think too much attention is being paid to government regulations like HIPAA and HITECH – regulatory & compliance regimes generally do raise the bar to a minimum security posture, but generally only for the organizations & institutions which see these requirements merely as bothersome necessity.
There is no magic here – failure to maintain a proper security posture usually results in a compromised data, and sometimes in the most unpleasant and unsatisfactory ways.
A recent survey of the healthcare industry indicates that one-third had experienced a data breach involving patient records. These statistics seem to reflect that the healthcare industry has some measure of improvements to undertake before they can properly implement & secure electronic health records.
And with the apparent lack of qualified IT staff to assist healthcare organizations in their efforts to properly (and securely) implement EHR and e-Healthcare programs, we’ll have to wait-and-see if the situation improves.
Leave a reply