![](http://glacialblog.com/userfiles/45/thumbnails//j-funaro-picture--0-64551900-1322069537-100.jpg "Healthcare has bigger problems than ObamaCare and that is \")
Healthcare has bigger problems than ObamaCare and that is "Information Security"!
With the push for EMR, and system integration between healthcare players via (HL7, VPN’s, and Remote Access) there should be major concern over the current state of information security in healthcare.As a former Director of Technology, CTO, and consultant for numerous outpatient\hospital healthcare organizations - I can tell you that PHI is there for the taking. Facing countless threats from internal and external sources by way of information leakage, intrusions\hacking, phishing, virus, and malware, etc. becomes a never ending battle for patient safety, privacy, and security.
Many times I have experienced organizations that have sensitive system such as RIS, PACS, EMR, and others, connected directly to the internet without safeguards. When we think of big name medical equipment vendors we assume they must have surely addressed security – wrong! Countless times our anti-threat systems warned us of viruses and other unwanted threats introduced by infected media provided by these vendor’s. This type of incident happens every day and is mainly overlooked by most as being insignificant. Even when safeguards were taken they were rarely setup properly, maintained or monitored, and almost never managed by someone with qualifications. Most organizations don’t have the stomach for the cost associated with doing security right and typically make this decision with their wallets.
You see, information security, threat prevention, information leakage, and the like are moving targets and require proactive countermeasures and real-time analysis and at the very least require a daily review. Also important to know is that many of the recommended IT products providing defense today are using 15+ year old technology “stateful packet inspection”. Stateful packet inspection being the common technology response used today has become almost irrelevant. Today, most applications run on port 80, and 443 which are typically allowed by most rule-sets. So you see, even if an organization has taken steps in the last 5 years to secure data they may still be vulnerable to attacks.
I believe if the average person had the opportunity to see the war being waged against our security devices they would be astounded. Ask any security professional who proactively monitors Firewall\Threat Prevention logs how frequently they experience “Brute Force Attacks”, “Code Obfuscation”, “Http URI Scheme Evasion” attempts to name a few. The threats today are rampant and the challenge is great to maintain a balance between measure and countermeasure.
I know the wheels are well in motion for EMR and information sharing but I think that healthcare organizations need to take a seriously look at their plan to address this. We must come up with ways to rate and score organizations in the same way the Board of Health does restaurants A+, C-, etc. I see tremendous value in forming a team of security professionals who perform penetration testing that provides reports to the public. This way everyone can know the truth and make a conscious decision where they want their PHI spinning in perpetuity.
