I’ve been accused of being a 'homer' – someone who is so devoted to the metro area he lives near that he overplays its good points and has a blind spot for its shortcomings. I make no apologies for being this way about Boston, for as the Standels sang long ago: “I love that dirty water; oh, Boston, you’re my home.”
People most often see my 'homeristic' tendencies through my devotion to the local sports teams. In summer, I bleed Red Sox red; in the fall, Patriots’ blue; and in the winter, the black and gold of the Stanley Cup Champion Boston Bruins…with a tinge of Celtic green thrown in for good measure. But while I am committed to the superiority of the local sports entries, there is another industry where I am firmly convinced that Boston is the world leader bar none. When it comes to the health care industry, I do not stray far from the feelings of my father who used to carry a note in his wallet that said, “In case of medical emergency, ship me back to Boston.”
This devotion does have its limits, however. Just as I am not so jaded as to believe that the Red Sox will win every game (although I do believe the Patriots can since they did it once before), I also know that Boston’s health care centers are not perfect and can fall victim to mistakes. And when it comes to the health care industry, since the early part of my career writing about technology came on the health care IT (HCIT) side, I know the vulnerabilities that exist.
Knowing the vulnerabilities that exist and actually learning they have been exploited are two different things, though. So when I read in the blog of my friend Bob Mitchell, a long-time journalist and blogger on subjects in the HCIT field, that Beth Israel Deaconess Medical Center had been yet another victim of a virus that led to personal information being stolen, I was taken aback a bit.
The “B-I,” as most call it around here, is highly respected not only for top-notch health care provision, but also for being on the leading edge of HCIT implementation and use; as proof of that rare intersection, their CIO, John Halamka, is also an MD. For them to have fallen victim is more evidence that even the best IT systems are vulnerable if due diligence is not paid.
“The hospital said that an unnamed computer service vendor had failed to restore proper security settings on a computer after performing maintenance on it. The computer was later found to be infected with a virus, which transmitted data files to an unknown location.
“The computer contained medical record numbers, names, gender, and dates of birth from 2,021 patients, as well as the names and dates of radiology procedures that had been performed…”
Mitchell went on to add that none of the stolen information included Social Security numbers or financial data, but still, there was information “in the wind” because someone failed to do their due diligence and left a computer vulnerable to being hacked.
All it takes is one computer to let its guard down and all the vulnerabilities within a company’s IT system become exposed. This is why due diligence over not only the security of an IT system, but also over all possible gateways to nefarious networkers need to be made visible through some form of structural analysis because, as I often quote Muhammad Ali, “you can’t hit what you can’t see.”
Organizations need to look to the “enemy within” and ensure that the structural quality of the applications that house and handle their personal data are sound and thereby impervious to attack. This can best be done through a system of automated analysis and measurement, which can assess thousands upon thousands of lines of code as well as interfaces and other structural factors that can result in software malfunction, and which manual analysis cannot detect efficiently.
You see, lack of attention to the structural quality of the application software on the IT system of any organization can have disastrous results. When those vulnerabilities exist on the IT system of one of the world’s finest health care providers, though, structural quality becomes a matter of life and death.