Healthcare Information Security

With the Affordable Care Act (ACA) on the horizon for implementation, the amount of patient data will exponentially increase with more Americans having the ability to have access to care.  In the past, the healthcare industry has been brought up as a paper-based culture however today’s technology has been quickly introduced to the continuum of care in order to facilitate a more efficient healthcare operation.  With new technology comes the requirement to secure this technology as well as the data however how do you find balance between providing patient care and secure patient care?

Some have stated that the healthcare industry is behind the times with information security with medical technology.  The provider requirement of shifting their paper-based processes to electronic Health Records (eHR) by 2014 will in turn require healthcare providers to secure that information technology that handles patient data.

Another area of healthcare information technology involves the security of medical devices.  The ACA will most likely promote the increased use of medical devices which will therefore require medical device security be stepped up in order to protect the patient.  There is the area of clinical engineering that presents a particular challenge. Medical devices have moved from stand-alone care solutions to systems that run traditional operating systems, require network connectivity, and often have imposed limits from the manufacturer on what controls can and can’t be applied to them.

A subset of these medical devices, implantable medical devices, are of interest being that they typically use insecure wireless protocols to communicate with the configuration host therefore leaving the patient vulnerable.

To bring the general security problem to light, Barnaby Jack (R.I.P.) and Jay Radcliffe have certainly sparked the difficult discussion with respect to the security of medical devices impacting the safety and well-being of the patient.  Barnaby Jack was a celebrated computer hacker who could force a bank ATM to spit out cash and sparked safety improvements in medical devices.  He was scheduled to speak at BlackHat USA this year and the headline of his talk was, “Implantable Medical Devices: Hacking Humans,” where he planned to reveal software that uses a common transmitter to scan for and “interrogate” individual medical implants.  Unfortunately Jack has recently passed and hopefully Jay Radcliffe can continue Jack’s legacy.

If one can recall, Jay Radcliffe hacked his own insulin pump and briefed how he did this at BlackHat USA 2011.  This year, he will be at BlackHat USA 2013 to give a brief entitled “Fact and Fiction: Defending your Medical Devices”.

Sentek will be present at this brief in hopes of asking Mr. Radcliffe a few critical questions.  One of these questions will be: How can a healthcare organization balance the primary focus of the healthcare, patient care, with information security?