The low levels of security in healthcare IT systems, and the high value of its data, is going to make the sector the next big target for scammers, according to the Microsoft-backed team that takes down botnets. "Healthcare is really in a disadvantaged place in cyber-security," said Patrick Peterson, CEO of security firm Agari, …
Corrected for accuracy ..
"The low levels of security in healthcare IT systems [running on Microsoft Windows] .. is going to make the sector the next big target for scammers, according to the Microsoft-backed team that takes down [Microsoft Windows] botnets"
Which is why...
When I have my MANDATED electronic medical record, I'd prefer it to be administered by a BANK. From the looks of it, they have a clue!
Remember, some of the medical devices are run by Windows 98 instances, and can't be updated (so it is said) unless they go through a bunch of hoops from the FDA to get it approved. So, the vendors just stand by and don't do much. Meanwhile the operator (health clinic, etc.) just connects it up the the internet, and some unsuspecting technician starts browsing the web, and the whole thing is compromised.
Now that WinXP is being cut off I suspect the same thing will happen there. So, one should be careful the next time you go in for an X-ray.
Here's one example
The information system at the hospital where I work will spit out active user's login password in plain text quickly with very minor coaxing. Nothing else needed to gain local access to medical records from any other terminal. CIO blamed a vendor when shown flaw months ago. Recently gave talk praising system security. And reviewed what makes a password strong. Flaw still active today. And system transmits and probably stores "strong" passwords as clear text.
AC for obvious reasons.
Wow, so there's money to be made out of uncle Toby's hemorrhoid records - you learn something new everyday...
A backdoor thief can make piles!
$60 per person?
I'll gladly sell them mine. (a buck's a buck)
A Truly Secure System?
The only way I can think I'd be happy with my medical information being in an online DB would be for it to be in its own 'black box' - effectively its own little database program that only I and my doctor can have direct access to. Anyone else can only ask a simple question that can only have one of three answers: true; false; and null (or in more common parlance: yes; no; unknown).
In that way, if any medical search for a particular condition is needed, then all the 'black boxes' can be asked a question. For example: does the patient smoke? They get answers from the boxes of either yes, no, or unknown. Those that answer yes can be told to alert 'their' doctor accordingly and the matter can be followed up face-to-face with the actual patient. I suppose this in essence is like the black box being a medical avatar for the patient.
Of course, I don't expect any company or government department would even have a clue what I'm talking about (least of all the NHS in the UK :( ).
Bodes well for care.data...
...the problem isn't collecting and storing of data (NHS hospitals have been doing that bit fairly well for 25 years or so), but it's the way the data is passed around - especially if the wider use or retention of said is ultimately based on promises, or legislation that can be rewritten later.
One of my friends worked for Oracle and later was involved in the last major attempt to create a unified system (about 10 years ago or so). He stayed with us up in Leeds on occasion for the times he had to work at the Kremlin (Quarry House). IIRC, the technicalities of creating a dual-redundant stand-alone infrastructure that could safely deal with all the transfers, without exposing it to any public-facing network, were a headache. This was despite the eye-popping multi-billion budget for the whole job, enough so that just 1/30th would have been enough to do everything using top-end Apple Mac desktops and XServers in every GP practice in the land, plus install leased lines between them and the data centres. Even then, they knew they couldn't do the job properly, although it would have cut out the majority of the risks around at the time.
Luckily the NHS in England have anticipated this problem and devised a cunning plan - they will sell the data themselves, and for a much lower price.
...and in case this is not enough or some potential buyers have not noticed this opportunity or baulk at the low price, we are busy importing US systems that are so fundamentally insecure it's laughable. Or it would be if it weren't our private details being flung around.
AC for damn good reason as I know exactly what these systems are, where they are deployed, the fixed-by-the-supplier administrator passwords for all of their deployed systems and the UK company that is selling them into UK hospitals is staffed by the security clueless (£££ is the only thing that matters... la la la la la).
And this is just one niche system being pushed into UK hospitals that I know about, and it does have access to PMR data (Patient Medical Records).
A protected mess
The entire medical industry has protected it self right into a painted corner. (notice I said industry and not profession because there is not much "professionalism" left these days in American medicine)
Granted, some of those laws were made to protect them from lawsuits, but others were to protect them competition... and justified lawsuits.
As another comment here has pointed out, upgrading medical systems in the US almost takes an act of Congress, which means they will stay vulnerable for quite some years before anything is done.
Re: A protected mess
Well, with any luck, the US Congress will clean the wads of medical industry dollars out of its pockets, realize what a serious issue medical security it is, and ram some medical security legislation up the backsides of all the medical folk. The medical industry has almost forever been way back at the training edge of computer technology. I've often marveled at visiting a doctor's office and seeing rows and rows of 6-foot high cabinets crammed with paper medical records. Is it any wonder the US medical system is so god-damned inefficient? Pathetic! The security issue will bite them all in the arse big-time, and the hew and cry over theft of medical and personal data from medical computer systems will motivate Congress.
NHS *Please* take note
But I rather doubt it.
Probably intercepts medical records anyway. How do we hash our brain output for MRI scans? Wearing a tinfoil hat in an MRI scanner is hard, it just slips off and sticks to the machine.
Its not just Microsoft at least that has some security
NHS are currently rewriting Spine using Riak as the underlying database. The section on security in the Riak manual can be paraphrased as "there isn't any, write it yourself".
In the US blame Billary
Medical records used to be be behind lock and key and guarded by a determined supervisor. After Mrs. Clinton first tried “HillaryCare” (which was a dud. What difference does it make?), she pushed for electronic medical records. These are out there for the world to see, because they are required under the law in the US. Once digitized thay can be copied over automatically. Are you curious about Michael Jackson's records? They'd fit on a CD or USB drive. Coincidentally, when Billary, the PIAPS, was made Secretary of Stake, diplomatic cables were disclosed to the world by that hermaphrodite buck private.
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- China building SUPERSONIC SUBMARINE that travels in a BUBBLE
- Review Raspberry Pi B+: PHWOAR, get a load of those pins
- Experimental hypersonic SUPERMISSILE destroyed 4 SECONDS after US launched it
- That 8TB Seagate MONSTER? It's HERE... (You'll have to squint, 'cos there are no specs)