The Cyber Secure Institute updates e-Health vulnerability analysis in light of Virginia Health Professions hack
Rob Housman, the Executive Director of the Cyber Secure Institute, has released this statement concerning new information about the recent hack of the Virginia Department of Health Professions and vulnerabilities with insecure e-Health systems: Recently the Institute analyzed the ramifications of IT vulnerabilities for the push towards e-Health. Our analysis focused to an extent on the recent hack of a Virginia State prescription drug database. This week Virginia State officials testifying before State legislators said that they are now receiving reports that doctors are hesitant to prescribe more potent painkillers to patients because of the hack and the vulnerabilities inherent in the database. The Associated Press reports: A House panel learned that powerful drugs such as Oxycontin, Valium, Vicodin and Ritalin are being withheld because pharmacists can’t check with the prescription drug database that still allows limited access. This is precisely the sort of real world health impact from cyber shortcomings that the Institute’s analysis discussed. If hackers can continue to be able to access vital health records almost at will, then they will have the ability to steal records, alter information, or simply deny access. Or, as with what has happened in the energy sector, they could simply use the power to take these systems offline to extort untold sums of money. As bad as compromising a prescription drug database may be, imagine if the database that was taken down had the real time medication data for a patient arriving at an emergency room in extreme distress. How much could you be compelled to pay if a hacker had your life in the balance? Or the lives of hundreds of thousands of patients? For these reasons the Institute continues to advocate that the first step in building an e-Health system has to be the development of an essentially hack proof digital infrastructure that has security designed in from the start—not yet another bolt on system of firewalls and forensics that is inherently insecure. Such a secure infrastructure must utilize only technologies that are tested by third party experts—preferably the NSA and NIST—against established, national standards. Such testing must include extensive penetration testing, even with the source code. And, only technologies that can meet these requirements should be part of the national e-Health infrastructure. A good place to start are technologies like those of Integrity Global Security and Tenix, which are NSA certified secure against even hostile, intentional, sophisticated attempts to penetrate them. In summary, the mantra for e-Health must begin with the Hippocratic Oath’s promise to “First do no harm.” An insecure e-Health system cannot live up to that oath.
|
