Wednesday, October 19, 2011

There Is Going To Be A Real Security Issue Emerge With Health Information Exchanges - Like The PCEHR!

The following interesting article appeared a few days. It is relevant as essentially the proposed PCEHR is actually just a Health Information Exchange at is heart - which it why the Government went out and bought one from Oracle / Accenture.

The Next Big Security Challenges

HDM Breaking News, October 12, 2011
For many security-conscious executives, the next big frontier will be health information exchanges. "HIEs are the biggest access and security challenge moving forward," says Bill Spooner, senior vice president and CIO at San Diego-based Sharp Healthcare. "The usefulness of the HIE will depend on how well we work through it. We want to be absolutely secure in getting patient consent for sharing their information, and at the same time, make sure their information is available."
It's an issue being raised across the country. The University of Pittsburgh Medical Center recently launched a data exchange with several area hospitals. Access to information will be based on having a prior relationship with the patient, says John Houston, vice president privacy and information security. "You want to make sure that not just anyone can query the HIE," he says. "Members will be contractually committed to doing the right thing. But the members will need to enforce appropriate conduct." Technology can only go so far in preserving patients' rights, he says. "The HIE is based on trust."
In addition to data exchanges, the influx of personal portable devices in the health care setting will bring their own set of access challenges.
Providers have been caught off guard by smartphones and other devices, says Noa Bar Yosef, senior security strategist at Imperva, a security software vendor.
"Providers have suddenly woken up to the reality where sophisticated mobile devices are being used as access points to online services and enterprise networks," says Bar Yosef. "The sudden dramatic increase of these devices in the past couple of years left the I.T. and security departments to scratch their heads and wonder how they lost control of I.T. Organizations need to recognize the introduction of these technologies to the workplace, and they need to start planning how to secure the devices and their interaction with the enterprise networks."
The good news, notes Bar Yosef, is that security tools for smartphones are readily available, including anti-malware, encryption and authentication. However, securing the end-device is simply not enough, she contends. "Organizations need to recognize that these devices are accessing the network, which means that even a compromised device might be introduced into the health care organization,"
Full article is here:
I find it interesting that the very same point was made a week or so ago regarding the PCEHR and security.
See here:

Harbinger of security warns national e-health system

Written by Nic White Thursday, 06 October 2011 09:00
THE vulnerability of Australia’s planned national e-health system to cyber attacks is not being taken seriously enough, according to a WA security academic.
The weakest points of this system are the individual healthcare providers, particularly the small primary care and specialist organisations which make up more than half the connections in the national e-health system.
ECU secau Security Research Centre senior lecturer Trish Williams says the initiative has multiple points of vulnerability that are unlikely to be fully realised until the system goes live.
The $466.7 million plan will digitise and integrate Australia’s patient record databases to allow much greater sharing of patient information, such as allergies, test results and medications, than the current “safe but not particularly useful” paper system.
Dr Williams says the integration of such a big and complex system is far more susceptible to attack than a decentralised paper one because of the communication between diverse healthcare providers, unlike banks where information is securely stored in one domain.
More here:
This paper seems to me like one we all need to have a look at - and soon!
Williams, P.A.H. (2011). Why Australia’s health system will be a vulnerable national asset. In C. Valli (Ed.) Proceedings of the 2nd International Cyber Resilience Conference. pp. TBA. Perth: secau- Security Research Centre, Edith Cowan University.
Sadly it does not appear to be available on the web at present. However, Dr Williams did kindly send me her paper in response to an e-mail. The paper does confirm her concerns with ensuring the security of GP systems over time.
I will keep an eye out and let readers know when it appears easily available on the web.
Clearly and expert systematic analysis of all the issues and their remedies is a little overdue!

No comments: