Thursday, February 04, 2010

Networked, Interoperable, Secure National Medical Records a Castle in the Sky?

The holy grail of electronic medical record efforts of late is the creation of networked, interoperable, secure national medical records that would allow a physician in Palo Alto to retrieve the records of a patient from Hoboken if that patient moved or was found (in the hackneyed and somewhat histrionic scenario) unconscious on the streets of San Francisco.

Recent events have made me skeptical we are anywhere near ready for such a technological accomplishment:

McAfee: Big Business Under Constant Cyber Attack

At the World Economic Forum Annual Meeting in Switzerland, McAfee announced the results of a survey of 600 IT security execs in "critical infrastructure enterprises worldwide": that is, in places such as utility companies, banks, and even oil refineries. And apparently, they're constantly under cyber attack and also extortion related to those attacks.

It's a real battlefield out there.

The report, written by the Center for Strategic and International Studies (CSIS), says that 54 percent of those surveyed have already been attacked. The culprits behind the cyber-attacks are listed as "organized crime-gangs, terrorists, or nation-states."

In other words, not simply teenage hackers or cyber-papparazi interested in the medical condition of a movie star.

Only one-fifth of the IT execs surveyed believe their systems are currently secure. One-third say things are worse now, vulnerability-wise, than a year ago, due to budget cuts.

What constitutes a cyber attack? A distributed denial of service (DDoS) is the most typical ... mitigation can be hampered by the local laws, working in multiple countries, or the economics of where they operate. For example, half of those surveyed claim the laws in their countries don't do enough to prevent or deter cyber attacks. That's especially true for Russia, Mexico, and Brazil.

Other attack vectors include DNS poisoning where Web traffic is redirected, SQL injection attacks on back-end data via a public Web site, and plain old theft of services.

If you need a plot for your new thriller novel, keep in mind that 20 percent of these companies are not just cyber-attacked, but have also been threatened with attacks in the last two years in "low-level extortion" attempts.

... Those surveyed said the money loss is the worst part, second is the loss of reputation, and (if you thought you weren't important) loss of customers' personal information is third.

This is a worldwide survey, and almost two-thirds of those surveyed believe foreign governments were responsible in some way for previous attacks. The two countries considering the biggest threats: China (by 33 percent of those surveyed) and the good ol' U.S. of A. (by 36 percent). China believes it's the biggest target.

The full report, called In the Crossfire: Critical Infrastructure in the Age of the Cyber War is free on McAfee's Web site in PDF format.

I note that Google recently called in the National Security Agency to help analyze a major corporate espionage attack:

The attacks targeted Google source code -- the programming language underlying Google applications -- and extended to more than 30 other large tech, defense, energy, financial and media companies. The Gmail accounts of human rights activists in Europe, China and the United States were also compromised.

Then there's this:

Intelligence Chief: U.S. at Risk of Crippling Cyber Attack

Feb. 4, 2010

The United States is at risk of a crippling cyber attack that could "wreak havoc" on the country, Director of National Intelligence Dennis Blair said.

"What we don't quite understand as seriously as we should is the extent of malicious cyberactivity that grows, that is growing now at unprecedented rates, extraordinary sophistication," Blair said.

... He said one critical "factor" is that more and more foreign companies are supplying software and hardware for government and private sector networks. "This increases the potential for subversion of the information in ... those systems," Blair said. [Outsourcing our HIT development overseas sounds like a great idea - ed.]

Read the linked articles in their entirety.

Perhaps we should focus on the local at present. National networked EMR's are a great concept, but there are a few social-technical details that remain to be worked out beforehand.

A Castle in the Sky...

-- SS


Pharma Conduct Guy said...

Obviously, security is a complex activity that extends beyond just technology. However, many of the problems listed above, such as DDOS, DNS Cache poisoning, etc are so widespread because they exploit the "childlike innocence with regard to strangers" that is a fundamental part of the early internet design, where connectivity, not security was a major factor. So much of the current TCP/IP architecture dates back to the 1970s. I'm curious what fraction of current problems will be eliminated once IPV6 is implemented.

Anonymous said...


InformaticsMD said...

So much of the current TCP/IP architecture dates back to the 1970s. I'm curious what fraction of current problems will be eliminated once IPV6 is implemented.

We will find out (we can't know this with certainty beforehand -- cf. Social Informatics research on unintended consequences of any new information & communications technology). However, I am certain that utilizing patients as test subjects in our explorations is not a prudent approach.

-- SS