Thursday, January 21, 2010

Operation Aurora And a Widespread Reluctance to Discuss IT Flaws: Is Universal Healthcare IT Really a Good Idea in 2010?

In an essay that ties together recent exposés of serious IT security flaws (starting with Operation Aurora) and a culture of secrecy that pervades the IT industry and industries who use IT, I ask the question:

Is universal healthcare IT really a good idea in 2010?

The complete essay is at my academic site at this link.

Operation Aurora was a cyber attack, conducted in mid-December 2009 and apparently originating in China, against Google and more than 20 other companies, including Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman and Dow Chemical.

The attack used "0-day" vulnerabilities (newly discovered and unknown to the software vendor, i.e., "day zero" of the vendor's knowledge of the defect) in Microsoft's Internet Explorer. One target was Google's email service, Gmail. It is not unrealistic to suspect that successful break-ins to that service could have gotten dissidents jailed or killed. Entire countries have warned users to switch to other browsers, at least until a vulnerability fix can be found. I find this stunning.

I also bring to bear recent reports of a culture of secrecy among IT vendors and users about these defects and vulnerabilities. This culture of secrecy seems prevalent in health IT, with perhaps even higher stakes for people (patients) when systems malfunction.

The essay is long-ish and at times technical.

The IT issues it addresses, though, are at the root of why I believe the current push in health IT is a bad idea and that we need to "slow down" to a more temperate pace.

Again, the full essay is here.

-- SS

1/24/2010 Addendum:

It appears Microsoft has known about the Internet Explorer bug since Sept. 2009.

The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

Actually, this was not a "zero day attack", but a "120 day attack." One wonders if EHR vendors have similar queues.

-- SS

2 comments:

Anonymous said...

Eye opening presentation. Should be required reading for each Member of Congress and the Executive Branch. What could doctors do to help? Avoid these ill-conceived electronic systems like the plague.

MedInformaticsMD said...

Anonymous writes:

What could doctors do to help?

Challenge the bellicose grandiosity of the Marx-esque claims that "IT will revolutionize healthcare," for one.

IT in healthcare is evolutionary at best (when "done well", which seems even more elusive with these revelations that we don't even know how harmful the security flaws are), not revolutionary.