Doctors’ Office a New Frontier in Security

As the medical profession moves towards more electronic records, a comparatively* new field of security is opening up.

The article touches on a few good examples: patients entering data into (likely) poorly-secured web forms, and handing CDs to a receptionist who sticks them into a (usually Windows-based) computer storing thousands of people’s records (or more).

I suspect there’s opportunity here for good defenses… people hope their medical records are kept really private, but they often aren’t. All kinds of people want unauthorized access to others’ medical treatment information, never for good reason. Yet since people realize the value of keeping this part of their private lives private, they’re willing to expend energy and money in helping it stay that way.

* (If you can read German, a fascinating piece considering among other things the implications of “TEMPEST” attacks against the medical profession back in 1999, and touching on jamming as opposed to shielding as a defense:

“So the emergency room doctor ordered a CT scan (to check for a concussion and the presence of a brain) and various x-rays. I thought about the computer controls while in the CT scanner, but what was really interesting was when the hospital emergency room digitized the results and gave them me on a CD to provide to the orthopedist. […]

Before going to the orthopedist, they had me fill out a bunch of forms online. As I provided the detailed medical information, I wondered how secure the web interface is, and whether someone could attack the medical record system through the patient input interface.[…]

When I got to the orthopedist’s office a few days later, I gave the receptionist the CD, which she promptly read into the medical records computer and returned to me. It occurred to me that the risk taken in reading a CD or other media from an unknown source is pretty substantial, something we’ve known in the security world for decades but has not filtered well into other fields. […]

When I got home, I read the CD on my Mac laptop, and discovered that it has an autorun.INF file to start the application that reads the x-ray data files. I don’t know whether the doctor’s office disables AutoRun on their computers; undoubtedly some doctors do and others don’t.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: