Friday, November 09, 2012

Why It's Crazy to Want Your Most Confidential Information Put into An Electronic Medical Records System

Besides the reasons I outlined in posts retrievable by these query links (link, link), there's this from ZDNet.com:

Microsoft warns of first critical Windows 8, RT security flaws

It's been less than a month since Windows 8 and Windows RT-powered Surface tablets were launched and went on sale, but Microsoft is already warning that the two next-generation operating systems contain critical security vulnerabilities that are due to be patched this coming Tuesday.

Among the various flaws, versions from Windows XP (Service Pack 3) all the way through to Windows 8 are affected, including versions of the Office suite, and versions of Windows Server. Released only in September, Windows Server 2012 requires patching to maintain maximum security.

The latest vulnerabilities include three critical security vulnerabilities for Windows 8, and one critical security vulnerability for the Surface-based Windows RT operating system. These flaws are considered "critical" and could allow remote code execution on vulnerable systems.

I note that Windows XP was released worldwide for retail sale on October 25, 2001, which was more than eleven years ago.  That security vulnerabilities are still being patched in 2012 is stunning.  Also, many enterprise information systems and most hospital clients (workstations) run on Windows-based servers and Windows installed local machines (UNIX, MacOS and other OS's are very rare on general-purpose hospital workstations).

From a Microsoft website here:


This partial list includes many very large HIT sellers.  There are many others as well.

By simple reckoning, it's likely we'll be seeing critical security vulnerabilities in Windows 8 - in 2023.

It goes without saying that these security problems will continue to be exploited by identity thieves, medical information merchants, and others with no rights to "protected" information.

In my opinion, the (still not yet realized) convenience of being able to have one doctor transmit your record to another, thus avoiding a FAX machine, the Postal Service or the telephone, and the trillion-dollar "solution" to the nearly non-existent problem of being found unconscious in some foreign land with no ID, no companions, and some hidden, critical medical condition not findable on physical exam and bloodwork, EKG, x-rays etc. that will cause death if not treated in minutes, is not worth the risk of having one's most private information spilled all over the Internet.

EHR's should not be accessible on networks beyond a physician's office or the robustly encrypted network of a hospital, and the information security personnel kept on very short leashes, for the foreseeable future.

I am unwilling to cede my own privacy to cybernetic utopians who ignore alarming evidence - plain to see at the aforementioned query links at the top of this post - nor can I in good faith recommend doing so to the public in 2012.

Considering the information in the many posts at the aforementioned query links (as here: link, link -- be aware you need to hit "older posts" at the bottom of each page to see all of them), that position is straightforward.

-- SS

11/9/2012 Addendum:

Also see my Oct. 2012 post "Computer Viruses Are 'Rampant' on Medical Devices in Hospitals."

-- SS

1 comment:

Anonymous said...

CCHIT obviously does not certify that the EHRs are secure.

CCHIT may not know how to determine that.

The HIT industry, including vendors, its trade group and promotor HIM$$, HIM$$'s offspring CCHIT (the legitimization company), and the co-opted academicians are compromising the practice of medicine and the care of patients, as they all bankroll the $ billions for selling devices that are no damn good.