Tuesday, December 11, 2012

Hacking of medical records

ABC Radio South East is going to interview me at 8:46am Wednesday, about the hacking of medical records. According to the report "hackers" have demanded $4,000 to restore the records of a medical centre. I did not pay much attention when I first heard the story as it sounded like the usual scare story issued by anti-virus software companies to promote their products. The ransom amount sounds too low to be credible. Also even if the medical practice paid the ransom, there is no way they could rely on the records being intact and unaltered.

The obvious reaction to such a story would be to call for medical records to be stored offline, on a server not connected to the Internet. But Australian state and federal governments are spending billions of dollars on ehealth to put records online. These online systems are intended to no only reduce costs, but impressive health, by providing a consolidated and more accurate medical record to all of a patients heath care providers. Speaking from experience, when you are lying semi-conscious in an intensive care ward of a hospital being asked about your medical history you would welcome an online record the doctor could access, so they could get on with treating you urgently.

Some guides and standards for cloud use, such as AGIOM's "Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide" and  IITP's "Cloud Computing Code of Practice" are discussed in my presentation "Records in the Cloud?" for the For Transitioning to Digital Recordkeeping, conference this year.

Medical centres should have good internal security procedures (attack by an employee still remains the biggest threat to an organisation, rather than attack from outside), as well as backing up their data,  securing their computer systems, using anti-virus software and having a firewall separating the internal system from the Internet. Small medical practices might be better off with cloud based outsourced services run by companies with the required expertise, rather than relying on locally run and maintained systems.

The Australian Computer Society was assisting the Australian Government to prepare a Cyber Security White Paper, which was to be released in early 2012. I helped prepare the ACS Submission for the Australian Cyber Policy White Paper.Unfortunately the Department of Prime Minister and Cabinet then canceled the white paper. Perhaps this needs to be renewed.

1 comment:

Tom Worthington said...

The Royal Australian College of General Practitioners recommend GPs implement a set of "RACGP Computer and Information Security Standards" (CISS) for their practice computer system.