One of my favourite episodes of the SF series Battlestar Galactica begins during peace time: the Cyclon war is long over and old battle ships are decommissioned – like the Galactica. The ship is transformed into a museum.
However, the decommissioning ceremony has barely finished as a new Cyclon attack begins. Modern spaceships are quickly destroyed by a fatal computer virus that uses the fleet’s network. Because the old, bulky Battlestar Galactica is a standalone ship and not equipped with networked computers, it escapes the attack and plays a vital role in the search for the mythical planet earth.
How secure are healthcare services?
In a Wired article titled It’s insanely easy to hack hospital equipment, Kim Zetter gives a frightening account of security issues in a US hospital with networked medial records, surgery robots, drug infusion pumps, bluetooth-enabled defibrillators, x-ray and imaging databases, and temperature settings of refrigerators storing blood and drugs.
Only the anaesthetic machines were safe as they were not interconnected and didn’t allow remote web administration. There’s the analogy with the Battlestar Galactica…
Some say digital security in healthcare is stuck in the Stone Age. In Australia, online government portals like my.gov.au give access to E-health records (PCEHR), Centrelink, Medicare, Child Support and the Department of Veteran Affairs. But IT security experts warn that these linked databases are at the mercy of of hackers because of flimsy security.
Connecting medical equipment
A few years ago, when we introduced free WIFI in our waiting rooms, we discovered potential security risks that had to be mitigated first. That was just a small WIFI network. Australia’s first digital hospital will soon open its doors.
It’s an amazing, innovative project. The hospital network contains 310 km of fibre-optic cable – everything is connected: E-health records (PCEHR), blood pressure machines, insulin pumps, X-ray equipment, renal dialysis and anaesthetic machines – even the whereabouts of doctors and patients is recorded via electronic badges.
Medical equipment is usually reliable and safe, but has not always been designed to encrypt and store information securely. If you start connecting it all up to a network in hospitals and practices, scary things can happen.
Insider misuse is common
Protecting a network from external threats outside the firewall is crucial. But networks should also be protected from inside threats, such as unhappy employees. Research shows that many employees who lose their jobs, leave with confidential company data. Insider misuse happens more often in healthcare than in other industries.
Lack of knowledge is another security threat, for example when healthcare workers write down or share passwords, accidentally open infected email attachments or download malicious data from the internet or other carriers, like memory sticks. Loss or sharing of data carriers including business phones and laptops are also common scenarios.
The next black swan?
On the black market healthcare records and insurance credentials are worth 20 times more than credit card details. Healthcare data is combined with other information into complete packages, sold for $1000 or more – reason why the FBI has warned health care providers security is too lax.
ASIC Australia Chairman Greg Medcraft said cybercrime across the world is rising, adding up to an annual cost of $110 billion. “Cybercrime is a systemic risk and is potentially the next black swan event,” he said.
Advancing technology is exciting but creates challenges at the same time. Secure equipment is a basic requirement. It’s good practice to have a data security policy in place. Staff should be educated and reminded regularly of the do’s and don’ts.
Sensitive patient and business records should be monitored closely. Data leak protection systems are able to restrict and monitor what data is copied and by whom. Accounts should be shut down when people leave the organisation.
And that’s only the beginning.