Thursday, February 18, 2010

Networked EMR's and Healthcare Information Security: Practical When Massive IT Security Breaches Continue?

At "Networked, Interoperable, Secure National Medical Records a Castle in the Sky?" I wrote that the holy grail of electronic medical record efforts - the creation of a networked, interoperable, secure national medical records system - may be far more difficult than anyone expected due to vulnerabilities in current, widespread IT networking and OS platforms.

Now we hear the situation is even worse than in the articles I cited at that post:


Wall Street Journal
Feb. 18, 2010
Broad New Hacking Attack Detected

Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running

Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach.

The damage from the latest cyberattack is still being assessed, and affected companies are still being notified. But data compiled by NetWitness, the closely held firm that discovered the breaches, showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.

One can only imagine how internet-connected hospitals, generally an IT backwater, might fare under such an onslaught.

... In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier's military email account, NetWitness found. A Pentagon spokesman said the military didn't comment on specific threats or intrusions.

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products, NetWitness said.

Data stolen from another U.S. company pointed to an employee's apparent involvement in criminal activities; authorities have been called in to investigate, NetWitness said. Criminal groups have used such information to extort sensitive information from employees in the past.


Read the while article. These breaches are an unpleasant reality in 2010, but what's worse is there really are no solid metrics for the true extent of this 'disease.'

Perhaps future Internet technologies will reduce or eliminate the problem, as one reader suggested in a comment to my aforementioned post. I do not believe, however, that patients and their medical records should be used as guinea pigs until those new networking and security technologies are widely deployed and well-proven.

In effect, this is probably not a good time for actual records-level interoperability to be deployed in any manner other than in consideration of a future strategy. Operationalizing that strategy should probably await a time when the "digital ether" in which the data resides and moves is more mature, unless proprietary networks and technology are to be used and without connection to the Internet. Planning data-level compatibility between systems, on the other hand, is work that should continue.

Finally, the layoffs and staffing levels in today's IT departments (at both vendor and user shops), plus the outsourcing of critical IT functions to overseas contractors where workers' loyalty to the primary firm is questionable at best, may be a contributing factor to the nakedness of corporate America's information systems.

-- SS