As I mentioned in a blog post last week, the e-healthcare (electronic healthcare) industry is quite possibly a ticking time bomb for various reasons. And today, I read a memorable quote about the state of security in this segment (Neil Versel, InformationWeek):
“Electronic medical records haven’t fulfilled their promise of safer, more efficient, lower-cost care, and won’t until usability improves for physicians and nurses and until systems are more interoperable…”
Of course, this quote is regarding EHRs/EMRs (electronic health records or electronic medical records, terms that seem to be used interchangeably in the industry) and their ability to simplify and streamline health record-keeping processes, reduce costs, and improve healthcare quality—however, it is also true with regard to the security benefits that the entire e-healthcare framework brings to the table.
Insofar as “usability” is an issue for EHRs/EMRs, so too is the fact that much of the healthcare industry is now experiencing another security conundrum with regard to mobility—many doctors and healthcare workers want to access patient data “on the go,” via their iPads, iPhones, and other mobile devices. If the IT staff has not properly planned for this contingency, serious security problems will definitely present themselves.
And to make mobility in the healthcare sector even more interesting, the FDA is now exploring the possibility of regulating mobile applications in the healthcare industry in the United States.
Brian Krebs pointed out today yet another potential security nightmare facing the healthcare industry—compromised hosts, which are controlled by criminals. Of course, Brian’s article references spambots—particularly in the healthcare industry—but regardless of what type of bot is used, the point is that the end system is compromised and under the control of criminals. It can just as easily collect and exfiltrate data and login credentials or modify critical patient records.
And this is where the real security fears in the healthcare industry can be realized—not just about the privacy of healthcare records from unauthorized prying eyes in the hospital, clinic, or other healthcare facility but from out-and-outright theft, pilfering, or perhaps modification of patient medical records.
The possibilities for compromise here are real and in reality can cost real lives.
This is an area where I think too much attention is being paid to government regulations like the HIPAA and the HITECH—regulatory and compliance regimes generally do raise the bar to a minimum security posture but generally only for the organizations and institutions, which see these requirements merely as bothersome necessity.
There is no magic here—failure to maintain a proper security posture usually results in compromised data and sometimes in the most unpleasant and unsatisfactory ways.
A recent survey of the healthcare industry indicates that one-third had experienced a data breach involving patient records. These statistics seem to reflect that the healthcare industry has some measure of improvements to undertake before it can properly implement and secure electronic health records.
And with the apparent lack of qualified IT staff to assist healthcare organizations in their efforts to properly (and securely) implement EHR and e-healthcare programs, we’ll have to wait and see if the situation improves.