Wednesday, May 18, 2011

Another Blow to the Health IT Idealists: Sony CEO Howard Stringer, and HHS OIG, on Information Security

In a series of Healthcare Renewal posts such as those linked below, I pointed out that healthcare IT information security was largely a pipe dream, and that plans to create a national network of health information, while a seductive idea dating to the beginnings of computer networking, is not a good idea now.

Now you can hear it from another source: The CEO of one of the world's largest electronic companies, Sony.

Emphases mine:

Sony CEO Warns of 'Bad New World'
Wall Street Journal
May 8, 2011

TOKYO—After spending weeks to resolve a massive Internet security breach, Sony Corp. Chief Executive Howard Stringer said he can't guarantee the security of the company's videogame network or any other Web system in the "bad new world" of cybercrime.

Mr. Stringer's comments in a phone interview Tuesday, ahead of a New York roundtable discussion with reporters, come on the heels of a trying month for Sony. The company partially restored two of its online game systems and a streaming movie and music service over the weekend after shutting the services for several weeks when a breach compromised the personal information of more than 100 million account holders.

While Sony has restored part of the PlayStation Network—an online game system for its PlayStation 3 videogame console—in the U.S. and Europe and bolstered security measures, Mr. Stringer, 69 years old, said maintaining the service's security is a "never-ending process" and he doesn't know if anyone is "100% secure."

He said the security breach at PSN, Sony Online Entertainment, an online game service for personal-computer users, and its Qriocity streaming video and music network his company could lead the way to bigger problems well beyond Sony, or the gaming industry. He warned hackers may one day target the global financial system, the power grid or air-traffic control systems. [And healthcare, where identity theft, data alteration, and data destruction might occur - ed.]

I really don't think this is the time to be setting up a national health information network.

Beyond that, I offer no additional comments, other than that regarding the impossibility of keeping healthcare information secure on a national or even regional network, you may have heard it first here at Healthcare Renewal.

It would be prudent and consistent with the Hippocratic Oath to tone down our grandiose expectations and grandiose plans for these technologies in healthcare.

If you feel insecure yet, just wait a moment.

Going from very, very bad to very much worse:

An independent audit of ONC's and CMS's security programs by the HHS OIG (Office of the Inspector General) produced concerning if not alarming results to say the least:

Federal Audits Find HIT Security Problems at CMS, ONC
John Commins, for HealthLeaders Media
May 18, 2011

Audits of the federal agencies charged with implementing and monitoring security measures for healthcare information technology identified this week lax oversight and insufficient standards for healthcare providers.

The audits were conducted by the Department of Health and Human Services' Office of Inspector General, and targeted HIT security standards, privacy protection under HIPAA, and other security measures at the Centers for Medicare & Medicaid Services, and the Office of the National Coordinator. "
These two reports are being issued simultaneously because OIG found weaknesses in the two HHS agencies entrusted with keeping sensitive patient records private and secure," OIG said in a media release.

The CMS audit,
Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight, examined seven hospitals across the country and found 151 "vulnerabilities" in systems and controls that are designed to safeguard electronic protected health information.

Those lapses included 124 "high impact vulnerabilities" such as
unencrypted laptops and portable drives containing sensitive personal health information, outdated antivirus software and patches, unsecured networks, and the failure to detect rogue devices intruding on wireless networks, the OIG audit said.

"These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge," the OIG audit said. "As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information, thereby leaving ePHI vulnerable to attack and compromise.

OIG's Audit of Information Technology Security Included in Health Information Technology Standards examined ONC's mandate under the HITECH Act to develop HIT security as part of a national HIT interoperability infrastructure. The audit found "no HIT standards that included general information IT security controls … which provide the structure, policies, and procedures that apply to a healthcare provider's overall computer operations, ensure the proper operation of information systems [which obviously also impacts patient safety - ed.], and create a secure environment for application systems and controls.

That's not very reassuring. In fact, it is downright frightening. ONC has to learn such lessons from HHS OIG? Read the whole thing.

I somewhat mordantly note that organizations such as ONC and CMS would probably never hire a person like me, who might actually kick-start true critical thinking on these issues. This is due to my non-bien pensant "bad attitudes", and lack of faith in cybernetic idols.

Click to enlarge. A well-known idol of gold. Computer circuits use gold, no?

-- SS


Anonymous said...

In the AP story: Two reports find security holes in electronic medical records by Ricardo Alonso-Zaldivar I found this quote to be chilling:

“Incentive payments could total as much as $27 billion over 10 years. Providers who insist on clinging to paper records will eventually face cuts in Medicare payments.”

First; we have the inherent negative statement of “clinging to paper records.” What is wrong with paper?

Second; with this type of money vendors will flog this horse as far as it takes to get paid.

We have reached a point in this society where right, wrong, or cost effective does not matter, only that I get mine.

Steve Lucas

Scot M Silverstein MD said...

We have reached a point in this society where right, wrong, or cost effective does not matter, only that I get mine.

That cannot be sustained forever.

-- SS

Live IT or live with IT said...

Oh Scott, I'm sure everything will turn out OK. Our elected leaders know best, you should just shush up. I mean what does experience with all the old stuff you did mean, and all of the reports you cite to support a slow down of HIT are based on data at least 6 months old. Everything has changed in the past week or two, so nothing you say has any weight.

Anonymous said...

The proverbial double whammy: The patient suffers irreparable harm from unregulated devices and the patient's private information is out there.

If they did an audit for safety, they would find the same gaping holes.

The moratorium on further waste of tax dollars on meaningfully unusable, unsafe, and unsecured HIT devices starts now!

Scot M Silverstein MD said...

Live IT or live with IT said...

all of the reports you cite to support a slow down of HIT are based on data at least 6 months old.

Another report to the British I cite in my NpfIT post is appx. 235 years old. Imagine that!

-- SS