With health records security is an afterthought

With health records security is an afterthought

Summary: What their report (PDF) finds, basically, is that routine patches often aren't made to hospital programs, that standard security monitors often aren't used, and that no one group has yet established best practices, especially in the area of securing the data.

SHARE:
TOPICS: Security, Health
6

ehealth security logoThe eHealth Vulnerability study released today sounds self-serving, but does make clear that health IT is something of a technology backwater where security and patching has yet to catch up with supply or demand.

The group represents existing players in health care, security and IT, rather than the groups seeking to mandate use of electronic health records.

What their report (PDF) finds, basically, is that routine patches often aren't made to hospital programs, that standard security monitors often aren't used, and that no one group has yet established best practices, especially in the area of securing the data.

In some ways this is a chicken-or-egg situation. You need a market before you can build the bureaucracies needed to monitor it -- even the private organizations. But without some assurance of security and privacy the market just won't develop.

The timing of this report, and the HealthIT bill, also points out the problem. These folks should be on the same side. The fact that they're obviously working at cross-purposes, one stepping on the momentum of the other, shows just how deep the problems in this business lie.

There are some awesome opportunities here, for big mainline software vendors, security firms, and privacy auditors. But consumers are going to demand this work be done before they trust any system, even one mandated by law.

The work of the HealthIT coalition just got a lot harder.

Topics: Security, Health

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Unreality

    It sounds great, but this is another unrealistic view. It's like trying to sell software to lawfirms. Everybody wants everything totally customized, super cheap, and maintainable even in the boondocks by "somebody's cousin" who is the proverbial "computer genius" because he can figure out how to install Microsoft Office from the DVD.

    Also, hospitals are subject to so many constantly changing regulations from states, the federal government, JCAHO, NCQA, managed care contracts written by individual plans, terms of individual ERISA benefit plans, etc., that it is not cost effective for vendors to develop, sell and maintain software. On top of that is the problem that these are not PC networks, they need heavy-duty systems which means software will only run on a particular vendor's hardware, and of course the hospital may have hardware from a different vendor.
    Rick_R
    • Nearly all law firms have computers

      No matter how difficult it may appear to do the system integration work, or how expensive, the savings are multi-dimensional and enormous. So the opportunity is real.

      The problem is that those multi-dimensional savings are seldom realized by the people who have to pay for it.
      DanaBlankenhorn
  • Routine patches

    Those "routine patches" have an established track record of bringing down mission-critical applications. Regression-testing them is slow at the best of times, and rarely well funded.

    The potential liability of deploying a "routine patch" in a healthcare setting is vastly greater than the rather hypothetical risks perceived for not patching.
    Yagotta B. Kidding
    • Good point, but...

      The management of patching has become a profession in its own right, a subsidiary of the security specialty.
      DanaBlankenhorn
  • Security through obsurity

    I know it generally doesnt work.. but unfortunately thats the way it is in healthcare.

    As rick_r stated, there are soo many regulations, private contracts, policies, procedures, training issues, and customized systems that security takes a backseat to ease of use.

    Its hard enough to bring employee's in and train them on a completely customized system, must less security test that thing.

    What i have found is that the issue of security is generally weakest at the user. They are generally the ones who give out their passwords or write them down on a sticky note they attach to the monitor. Our trainers tell them not to do either and we watch for these bahaviours, but its generally the user.

    The system we have now, requires a username, password and user number. If they dont match up, you dont get in. Of course these are different from the windows login.. so again its layered security.

    But i am 99% sure our vendor doesnt look for security flaws..
    Been_Done_Before
    • In other industries...

      what happens in other industries is that a new business niche is created to fill the need.

      The problem here is the HIPAA requirements act as a filter which keeps out most of the vendors.
      DanaBlankenhorn