Part 1: Why the Star Trek Medical Tricorder Didn’t have an App Store
The future of information security is looking brilliant: by the 23rd century there will be no computer hacks—at least according to Star Trek. (Let the trivia counter-arguments begin, Trekkies!) While that may be an unrealistic prediction on the part of Gene Roddenberry—and in fairness he never said the ship's computer and tricorders were never pwn3d; it was just assumed that they were always reliable—whenever Dr. McCoy waved a medical tricorder over a crew member or an alien with some, well…alien ailment, the results were instantaneous and spot on. None of us ever considered that tricorders might be infected with a new mobile worm or that they housed electronic patient health information (ePHI) that may be disclosed when Bones left it on a bar by accident. Then again, I never saw him texting Spock or playing Angry Birds on the medical tricorder, which may be why I never saw him swearing over having to type in an eight-digit passcode because of an MDM policy.
Today’s tricorder, what we in the 21st century call mobile devices, promises to realize the science fiction of a half-century ago. In health care alone, tablet computers and smart phones enable anywhere, anytime access to electronic medical and health records (EMR/EHR), much like the medical tricorder. The benefits of mobile EMR access are manifold and key to health care transformation. Caregivers, patients, and payers can view up-to-the-minute patient history, complaints, tests, medications, and outcomes, both over the internet and at the patient's side. Doctors can update records, prescribe medications, and refer patients to specialists, where the gaining caregiver has access to the same information as the primary care physician.
I remember having to fill out forms to have my paper-based medical records transferred when I was reassigned from one military base to another, and going through the same procedure in the civilian world to have records copied from one practice to another, all facilitated by the US Postal Service. And since x-rays are difficult to copy, the gaining practice had to take a whole new set of films. Today x-rays can be produced digitally, copied at will with no loss of fidelity, and transferred as soon as they're taken—no manual processing needed—and delivered to the doctor on a tablet computer.
Technology is enabling not only interconnected health data, but a connected health experience for the patient, caregiver, payers, and pharmacies. Immediate results mean less anxiety for patients, and quicker diagnoses and treatment plans. Connected health also means caregivers can monitor patient outcomes even after they've left the clinic or been discharged from the hospital, and allows patients to ask questions and express concerns without the interruption of a phone call or the frustration of waiting for a callback. It allows all parties to interact toward a more timely recovery and avoid mistakes.
It sounds Utopian, but there are challenges, not the least of which is privacy and security. Recent medical record compromises illustrate the point:
• 34,000 patient files were compromised when a contractor's laptop was stolen from his car
• A hacker in Eastern Europe broke into a state-owned computer in Utah and stole 800,000 records—more than 1/4 of the state's population
• Backup tapes were stolen from a health insurer for the military; 5 million patient records were compromised—the biggest health data exposure to date
• A hospital insider accessed patient records over a period of 17 months and sold them
Health care organizations are also subject the same external threats as are all connected organizations: malware, targeted threats from cyber criminals, and even Advanced Persistent Threats (APTs). One could make the argument that our health care system is part of the national critical infrastructure—and the U.S. Department of Homeland Security does, in fact, classify it as such—and a target for cyber warfare.
But executives within the health care system view privacy and security as separate issues, and are concerned predominantly with privacy. For those of us in information security, we know that privacy is a component of security; you can have security without privacy, but not privacy without security. When viewed through the lens of the CIA triad—confidentiality, integrity, and availability—security is not complete without confidentiality, meaning privacy. While the boardroom may not understand the concept, IT security needs to ensure the organization is protected from threats and fraud both internal and external, especially in the U.S. where the political controversy over health care reform puts providers, payers, and drug companies in the sights of hacktivists.
Whatever your feelings on compliance, at least HIPAA forces health care organizations to consider a broad range of security measures; its extension, the HITECH Act, gives teeth to HIPAA in the form of mandatory reporting, financial penalties, and more stringent requirements on business associates. So while privacy is the paramount security concern of executives in health care, the threat of financial penalties and brand damage in terms of public exposure compel them to fund at least the security measures mandated by HIPAA and HITECH. It doesn’t hurt that the American Recovery and Reinvestment Act (ARRA) of 2009 allocates $155.1 billion to health care organizations with the stipulation that they comply with the HITECH Act, contained within ARRA. Combining positive financial incentives for health care organizations that implement “meaningful use” of EHR and negative incentives for organizations that fail to take proper precautions helps drive the transformation of health care toward a pay-per-value model and away from a pay-per-transaction system.
It’s appropriate to note that the health care industry is a lot like the security industry: no one wants to have to call on either, and we often wait until it's too late to invest in both health care and information security. Sure, we buy health insurance, but we don't do the basics like eat healthy food and exercise. In security we invest in firewalls and anti-malware, but too many organizations don't have clear, living security policies in place with the requisite staff, programs, and technology to support them. And we're not good at continuous monitoring in either: a once-a-year check-up is too infrequent and gross a test to catch all but the most obvious ailments, or the ones the physician is looking for. During my annual physical a couple of years ago, a doc actually pulled out the old rubber hammer and thwacked my kneecaps!
All too often we take the same approach to information security: wait for signs of illness then diagnose the problem. We may page through endpoint security logs looking for scary and obvious messages that a piece of malware was detected on a user’s laptop and conduct monthly vulnerability scans, but the majority of system compromises go unnoticed for months, according to recent analyses of system breaches. Health care is currently focused on early detection, and while we profess to have the same goal in information security, it’s clear that we’re not doing a great job. The irony is that just about every current information security regulation and contractual obligation, like HIPAA, PCI, and NERC, mandate central logging.
We have an advantage in information security over health care, though: the capability to perform continuous and non-invasive monitoring. Medical diagnostics are getting less traumatic with transcutaneous blood-gas monitors, dielectric and near-infrared spectroscopy for blood glucose monitoring, ultrasound for cardiac and fetal development monitoring, but we’re a long way from the medical tricorder.
However, continuous patient monitoring is still possible without inserting a needle into an arm, slicing open an abdomen, or embedding a microchip in a brain. By monitoring behavior, measuring extrinsic factors, and applying analytics, it’s possible to infer incredibly accurate conclusions about a patient’s condition. I explore this in Part 2 of this article.