Over last few weeks, I have been
reading more than I normally do unless it is a book. This time it is
the website for Joe Flower, a healthcare speaker. He holds himself
out as a healthcare futurist, but he knows his topic, what he is
talking about, and writing about. He does not write for patients,
but patients can learn from his writing.
I talked with a hospital CEO recently
and mentioned his name. I was asked how I knew him and I said from
his writing. At that point, I was tuned out and totally ignored. I suspect he did not want conversation
about computer security or how it would look when the hospital's
computer system becomes compromised.
I did not need to ask the one question
I had wanted to ask because I know that the patient electronic health
records are not encrypted, but I did want to ask why they were not
encrypted.
Joe Flower wrote a blog on the
health care blog.com where he warns CEOs (chief
executive officer) and COOs (chief operations officer) to start
listening to the information technology (IT) people and have some
serious meetings with them. He explains why and puts together a
great argument as to why this is important.
In November, Target had their systems
compromised and then other retailers discovered their systems had
been compromised in similar ways. He tells CEOs and COOs not to say
they had just passed a security audit as Target had just passed a
security audit, just before they discovered the break-in to their
servers, credit card machines, and cash registers. The security
audit failed to find the malware installed through out the system.
How could this happen? The attackers
have gotten more sophisticated, and they used new techniques of
entry. The attackers in the biggest heist in the company's history
entered through the thermostat. Yes, through the most unlikely of
targets, a simple thermostat.
Most did not suspect that the heating,
ventilation, and air conditioning (HVAC) systems would be vulnerable
to this sort of attack. To understand what happened - most brick and
mortar stores have complicated HVAC systems. Hospitals have even
more complicated HVAC systems. The security leak happens because
most stores and hospitals outsource the management of their HVAC
systems to outside contractors. This contractor monitors and
controls the HVAC over the internet. How? Because all sensors,
thermostats, switches, control valves, and other controls are hooked
to the store's and hospital's servers. The contractor is given password-controlled
access to the store's central computer system.
When you think about hospitals, they
have probably more hooked to the central computer system and they are
also hooked to the internet. Most companies and hospitals are not
aware that these outside contractors have very poor security and
often use the same password across multiple customers.
Once these outside contractors have
been hacked, they have access to many brick and mortar stores and
hospitals. This in turn makes it easy for the hackers to gain access
to any information they want.
Other writers are urging system encryption against people that might penetrate the firewall. I know that many say businesses and hospitals say they can't afford encryption, but the cost of being hacked, may open more than a few checkbooks.
With the Affordable Care Act and the
ongoing interchange of data, especially between insurers and
providers, enormous amounts of personal data, from address and credit
card information, to medical health including embarrassing private
health information may become available to hackers.
Consider this appearing on hacking
forums: “We can get you the medical records of anyone — any
celebrity, wealthy person, or blackmail target.” Yes, this
will happen because they have hacked into the nets of information
that flow between payers and hospitals, and hospitals and clinics. I
can just imagine you seeing a headline in the local paper that says
the local hospital or clinic has had a data breach. Will the
hospital or clinic have an exodus of patients? I would not want to
bet against this.
No comments:
Post a Comment