Information Security for health practitioners

Is it possible for health practitioners to  achieve information security?  Maybe a better question is  “How can health professionals balance privacy, information security and accessibility in an online world?” Or even, should the medical profession be bothered with keeping private and sensitive information secure?

Over the last few months, I’ve been working with a number of health practitioners to help them improve their information security. Much of this has been done with a view to the introduction of electronic health records.

I sympathise with hospital administrators, doctors and nurses. They don’t have a lot of time to think about security and privacy. However, the fact is that they have to do better.

monash university - surgery clinic 2012

Criminals follow the money

According to the Australian Institute of Health and Welfare, the health system costs just under 10% of Australia’s GDP (AUD121.4 billion in 2009/10 according to the AIHW) . In the US, it is around 18% (USD2.6 trillion in 2010 according to the CDC).  With this much money involved in the health system, it is a fat series of targets for cyber attack and fraud.

Terrorist vector? Probably not.

The Department of Homeland Security has even gone so far as to suggest that the health system could be targeted by terrorists and activists in the USA. I am not convinced by this or similar suggestions as the no1 aim of terrorists remains to create terror. Terrorists understand this and seek targets and methods along those lines. It matters less how few people a terrorist kills. It is more important for the terrorists that they have an audience that can clearly see a hard link between cause (terrorist attack) and effect (death, destruction etc). The  murder of a single UK soldier in May 2013 by allegedly Al-Qaeda inspired terrorists with machetes has created significant community angst, not only in the UK where it occurred  but in Australia, Canada and the USA. Yet, it is likely that more people died on that same day on the roads in London. My point is this, that if terrorists discovered some way of causing significant death or maiming from medical equipment, I do not doubt that they would use it. However, it is likely that the effect on the collective public consciousness would not be as great as the machete attack mentioned above.

However, we must accept that it is possible, if not altogether probable. One identified flaw is the chronic inability of many health systems to patch their software and applications.

One high consequence scenario involves hackers attacking defibrillators and insulin delivery systems remotely. I think this comes into the unlikely but possible category. Shodan, was used by a hacker to access the controls of a blood glucose monitor connected to the Internet by WiFi.

Whilst we can probably discount to some extent the terrorist threat, I can imagine the attraction of such attacks as assassination vectors or for the installation of ‘ransomware‘. Thus the high consequence threat from foreign governments and organised crime can’t be as easily discounted.

Beyond the extreme, privacy compromise and fraud

Beyond these extreme events, there is the possibility that patient or staff privacy can be compromised by weak information security. Dr Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, talking about the US health system has been quoted . “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”…. Unfortunately, it is not possible to hide one’s health under the mattress!

I experienced this personally about a week ago when my daughter’s optometrist sent through the results of her recent eye test, only it wasn’t. The attachment data was for somebody I had never met.

We have a tendency to compare the worst case scenario of e-health privacy with the best case scenario of the current system. We all know that it isn’t the case as my example above shows.

Good information security will also help protect healthcare organisations from fraud. Fraud is estimated to be a USD60 Billion impost on US hospitals. Methods that are being used by fraudsters include

  • Diversion of fee revenue
  • Diversion of controlled items (eg drugs)
  • Collusion with suppliers; and
  • Diversion of accounts receivable.

The same methods are being used in medical practices, albeit on a smaller scale.

What to do

A holistic approach is needed. We have worked with a number of medical practices to implement the key elements of the information security standard ISO 27000. This ensures that the practice has a risk based approach which mitigates threats based on real world experience of consequence and likelihood. Working with practice owners and stakeholders, we determine tolerance to information risk and work with them to implement controls which make sense and meet any regulatory requirements.

If you think this is something your organisation needs, please contact us at [email protected]

Published by

Alex Weblng

BSc, BA (Hons), Gdip Comms, GdipEd, ZOP

Alex has 20 years of experience in the Australian Government working in the fields of national security, information and cyber-security, counter-terrorism, , nuclear science, chemical and biological security, protective security and critical infrastructure protection, identity security, biometrics, and resilience.

Alex was the foundation Director of the Australian Government computer emergency response team, GovCERT.au (later CERT Australia). He developed and project managed a world first program to train CERTs in developing APEC countries.

Alex set up the Trusted Information Sharing Network Resilience Community of Interest in 2008 and produced the first Australian Government Executive Guide to Resilience.

Head of Protective Security Policy in 2010, Alex was responsible for launching the revised Protective Security Policy Framework and the single information classification system for the Australian Government.

Alex has both significant experience and tertiary qualifications in the CBRN (Chemical, Biological, Radiological and Nuclear) area. He was head of the Chemical Security Branch of the Attorney-General’s Department; responsible for nuclear policy during the construction of the Australian OPAL reactor; and represented the Attorney-General’s Department in the Security Sensitive Biological Agents development process, bringing to it a pragmatic, risk driven approach.

As Director of Identity and Biometric Security Policy, Alex was responsible for developing the successful proposal to expand the Australian Document Verification Service into the private sector in 2012.

Alex has been a member of the Australasian Council of Security Professionals since 2011 and a registered security professional in the area of Security Enterprise Management with the Security Professionals Register of Australasia.