Hacking Up a Hospital

by

I’ve been accused of being a 'homer' – someone who is so devoted to the metro area he lives near that he overplays its good points and has a blind spot for its shortcomings. I make no apologies for being this way about Boston, for as the Standels sang long ago: “I love that dirty water; oh, Boston, you’re my home.”

People most often see my 'homeristic' tendencies through my devotion to the local sports teams. In summer, I bleed Red Sox red; in the fall, Patriots’ blue; and in the winter, the black and gold of the Stanley Cup Champion Boston Bruins…with a tinge of Celtic green thrown in for good measure. But while I am committed to the superiority of the local sports entries, there is another industry where I am firmly convinced that Boston is the world leader bar none. When it comes to the health care industry, I do not stray far from the feelings of my father who used to carry a note in his wallet that said, “In case of medical emergency, ship me back to Boston.”

This devotion does have its limits, however. Just as I am not so jaded as to believe that the Red Sox will win every game (although I do believe the Patriots can since they did it once before), I also know that Boston’s health care centers are not perfect and can fall victim to mistakes. And when it comes to the health care industry, since the early part of my career writing about technology came on the health care IT (HCIT) side, I know the vulnerabilities that exist.

Down by the Banks of the River Charles

Knowing the vulnerabilities that exist and actually learning they have been exploited are two different things, though. So when I read in the blog of my friend Bob Mitchell, a long-time journalist and blogger on subjects in the HCIT field, that Beth Israel Deaconess Medical Center had been yet another victim of a virus that led to personal information being stolen, I was taken aback a bit.

The “B-I,” as most call it around here, is highly respected not only for top-notch health care provision, but also for being on the leading edge of HCIT implementation and use; as proof of that rare intersection, their CIO, John Halamka, is also an MD. For them to have fallen victim is more evidence that even the best IT systems are vulnerable if due diligence is not paid.

Lovers, Fuggers and Thieves

Mitchell reported:

“The hospital said that an unnamed computer service vendor had failed to restore proper security settings on a computer after performing maintenance on it. The computer was later found to be infected with a virus, which transmitted data files to an unknown location.

“The computer contained medical record numbers, names, gender, and dates of birth from 2,021 patients, as well as the names and dates of radiology procedures that had been performed…”

Mitchell went on to add that none of the stolen information included Social Security numbers or financial data, but still, there was information “in the wind” because someone failed to do their due diligence and left a computer vulnerable to being hacked.

Just Once Those Doors Weren't Locked

All it takes is one computer to let its guard down and all the vulnerabilities within a company’s IT system become exposed. This is why due diligence over not only the security of an IT system, but also over all possible gateways to nefarious networkers need to be made visible through some form of structural analysis because, as I often quote Muhammad Ali, “you can’t hit what you can’t see.”

Organizations need to look to the “enemy within” and ensure that the structural quality of the applications that house and handle their personal data are sound and thereby impervious to attack. This can best be done through a system of automated analysis and measurement, which can assess thousands upon thousands of lines of code as well as interfaces and other structural factors that can result in software malfunction, and which manual analysis cannot detect efficiently.

You see, lack of attention to the structural quality of the application software on the IT system of any organization can have disastrous results. When those vulnerabilities exist on the IT system of one of the world’s finest health care providers, though, structural quality becomes a matter of life and death.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|