Wednesday, March 13, 2013

But don't worry, your EHR information is secure

My last reminder of this issue was almost a half-year ago, but I think a repeat is in order.

More bugs squashed:

Microsoft fixes critical Windows, IE flaws for Patch Tuesday

Microsoft has released four critical security updates for Windows and Internet Explorer, along with a bevy of other products, in order to protect against at least 19 vulnerabilities identified in its software.

On deck this month, there are four "critical" vulnerabilities that affect Windows, Internet Explorer, Office, and Windows Server, including one for Silverlight that affects both Windows and Mac machines.

The most severe Internet Explorer flaw affected all versions of Windows XP (Service Pack 3) and above, including Vista, Windows 7, and Windows 8 — including tablets running Windows RT — running Internet Explorer 6 and above. The flaw could have allowed a hacker to access the vulnerable system with the same user rights.

... The other vulnerabilities rated as "important" could allow data and information disclosure, or an elevation of privileges on affected machines. These affect SharePoint, OneNote, Outlook for Mac, and kernel-mode drivers in Windows-based machines.

I note that Windows XP is now more than a decade old, but Windows RT is brand-spanking new.

In a Nov. 2012 post somewhat vexatiously entitled "Why It's Crazy to Want Your Most Confidential Information Put into An Electronic Medical Records System" about Windows 8 flaws, I had indicated how common Microsoft products were in hospital IT.

I stand by that vexatious title.

But don't worry, your confidential medical information is secure, and your safety against malfunctioning IT that loses your critical medical information after hackers invade is assured, in our current rushed national health IT rollout.

What is the answer?  Until this technology has significantly been secured and debugged, this old triad applies:

  • If you want your information secure, don't put it on a computer.
  • If you must put it on a computer but still want some degree of security, don't put the computer on a network.
  • If you must put the computer on a network, especially a network connected to the Internet, your information is no longer secure. 
It's premature in my view to be building and operationalizing national health records networks.  Unless, that is, patient information privacy, security and confidentiality are secondary considerations.

(In my view, they are seen by the national IT builders and promoters as secondary considerations, but the builders and promoters will never admit it, perhaps even to themselves.)
-- SS

No comments: