Hacking Up a Hospital
Posted By Jonathan Bloom on December 16, 2011 | Application Failure
I’ve been accused of being a ‘homer’ – someone who is so devoted to the metro area he lives near that he overplays its good points and has a blind spot for its shortcomings. I make no apologies for being this way about Boston, for as the Standels sang long ago: “I love that dirty water; oh, Boston, you’re my home.”
People most often see my ‘homeristic’ tendencies through my devotion to the local sports teams. In summer, I bleed Red Sox red; in the fall, Patriots’ blue; and in the winter, the black and gold of the Stanley Cup Champion Boston Bruins…with a tinge of Celtic green thrown in for good measure. But while I am committed to the superiority of the local sports entries, there is another industry where I am firmly convinced that Boston is the world leader bar none. When it comes to the health care industry, I do not stray far from the feelings of my father who used to carry a note in his wallet that said, “In case of medical emergency, ship me back to Boston.”
This devotion does have its limits, however. Just as I am not so jaded as to believe that the Red Sox will win every game (although I do believe the Patriots can since they did it once before), I also know that Boston’s health care centers are not perfect and can fall victim to mistakes. And when it comes to the health care industry, since the early part of my career writing about technology came on the health care IT (HCIT) side, I know the vulnerabilities that exist.
Down by the Banks of the River Charles
Knowing the vulnerabilities that exist and actually learning they have been exploited are two different things, though. So when I read in the blog of my friend Bob Mitchell, a long-time journalist and blogger on subjects in the HCIT field, that Beth Israel Deaconess Medical Center had been yet another victim of a virus that led to personal information being stolen, I was taken aback a bit.
The “B-I,” as most call it around here, is highly respected not only for top-notch health care provision, but also for being on the leading edge of HCIT implementation and use; as proof of that rare intersection, their CIO, John Halamka, is also an MD. For them to have fallen victim is more evidence that even the best IT systems are vulnerable if due diligence is not paid.
Lovers, Fuggers and Thieves
Mitchell reported:
“The hospital said that an unnamed computer service vendor had failed to restore proper security settings on a computer after performing maintenance on it. The computer was later found to be infected with a virus, which transmitted data files to an unknown location.
“The computer contained medical record numbers, names, gender, and dates of birth from 2,021 patients, as well as the names and dates of radiology procedures that had been performed…”
Mitchell went on to add that none of the stolen information included Social Security numbers or financial data, but still, there was information “in the wind” because someone failed to do their due diligence and left a computer vulnerable to being hacked.
Just Once Those Doors Weren’t Locked
All it takes is one computer to let its guard down and all the vulnerabilities within a company’s IT system become exposed. This is why due diligence over not only the security of an IT system, but also over all possible gateways to nefarious networkers need to be made visible through some form of structural analysis because, as I often quote Muhammad Ali, “you can’t hit what you can’t see.”
Organizations need to look to the “enemy within” and ensure that the structural quality of the applications that house and handle their personal data are sound and thereby impervious to attack. This can best be done through a system of automated analysis and measurement, which can assess thousands upon thousands of lines of code as well as interfaces and other structural factors that can result in software malfunction, and which manual analysis cannot detect efficiently.
You see, lack of attention to the structural quality of the application software on the IT system of any organization can have disastrous results. When those vulnerabilities exist on the IT system of one of the world’s finest health care providers, though, structural quality becomes a matter of life and death.
Tags: application failure, Application Quality, application security, automated analysis and measurement, Boston, health care, hospital, Security, software analysis, software measurement, Software Quality, structural quality, Technical debt
Enjoyed this post? Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!
Posted by Jonathan Bloom
Jonathan is an experienced writer with over 17 years in the technology industry. Jon has written more than 500 journal and magazine articles and other materials that have been published throughout the U.S. and Canada. He has expertise in a wide-range of subjects within the IT industry including software development, enterprise software, mobile, database, security, BI, SaaS/Cloud, Health Care IT and Sustainable Technology. Jon holds a B.A. in History from Gettysburg College. He enjoys attending sporting events, cooking, studying American history and listening to Bruce Springsteen music.
2 Responses to “Hacking Up a Hospital”
Nice post. It´s scary to think that a single unprotected computer is enough to create problems to the whole system. Is there no other solution to prevent something like that happening again? Like you said, in a case such as this one it is a matter of life and death.
Mikey, I’m glad you liked the post. My father was a former military intelligence officer, and he used to say one solitary committed antagonist could potentially do more damage than an entire regiment, just because nobody expects a threat from such a small force. While that’s little solace, all any organization can do is fortify its internal “perimeter” by identifying and eliminating any potential points of vulnerability. After all, a virus still needs a point to attack, so if vulnerabilities are addressed and security detection systems are in place, there is less chance for data to be exposed…and such a system of structural analysis must be continually updated as to keep up with the latest technology of its enemies because, as I wrote back in July after the Citi breach, “Hackers are getting smarter.”