You know the drill. As you entur local healthcare provider facility, you fill out endless forms and are told by the nice person behind the counter about the "HIPAA" patient information protection that has been implemented.
Often you also hear about and see a new computer system behind the counter and in the examination room. It seems to have, at the push of a button, all of your data -
My home record system was even more basic. It could be an index card or even simpler. We used to pen into the door jamb of the kitchen the height (and sometimes weight) of our children every year as they grew, marking the substantial growth milestones. Family and visitors could witness the progress or marvel at it years later as it became more faded in the woodwork. It now seems that parents no longer need to do that. A patient can sign onto their medical record and see or print a nice graph. Cool stuff.
I was recently in a large Boston hospital to visit an ailing relative. Since I am in the information security business, I could not help but notice the computer in the room. When the nurse came into the room, I asked a few questions about the computer and how it can be used in patients hospital room.
I learned that staff must sign on to the patient care system, click the icon on desktop, enter the PIN and password, so it seemed to meet minimal standards, not that secure, but compliant. Then I asked about the browser on the desktop that was accessible without signing on. As it turns out, that browser was on the home screen, and readily accessible to a user, or anyone for that matter. Even with a desktop sign-
After investigating a little more, I learned from a hospital IT person that in a teaching hospital, computers must provide full and open access to the Internet. For example, a doctor or nurse in-
With my penetration testing background, I could not help but realize how easy it would be to compromise the complete patient care system:
* Anyone on the staff had full access to computers throughout the public areas.
* Anyone who has used a computer could likely access any number of public machines in hallways on moveable carts, nurses stations not always attended, or in a patients room.
* Literally anyone can walk into one of these hospitals without challenge, no security, sign in or credential check required. Yes, there are security guards in the lobby to give the appearance of security or make sure the furniture stays in the lobby.
* Any visitor could access the computer in a number of ways just belly up to the keyboard, download a key-
* A remote user with credentials could access the patient information system they may have to return to the facility or possibly could access it remotely and gain access to any patients information.
* Someone remote could friend a hospital acquaintance worker on Facebook. If that hospital worker accessed their Facebook (or email on the job there would be any number of ways to access patient system.
Is the system really HIPAA compliant? On the books, I am certain that it is. But if the idea is to protect your information, do you consider this safe? The summary of the HIPAA information security points in Wikipedia does a nice job of surfacing the requirements in understandable language.
* Physical Safeguards -
* Access to equipment containing health information should be carefully controlled and monitored.
* Access to hardware and software must be limited to properly authorized individuals.
* Required access controls consist of facility security plans, maintenance records, and visitor sign-
* Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public.
So next time you go to your local doctor, you can admire the new system that chronicles your health history and the fact that you dont have to carve up a door jamb to record your growing child. But stay healthy, because if you have to go to a prestigious hospital with ivy league doctors, you are now entering a zone where you are a piece of the research process.
The training ideals of these institutions trumps your security. Your health information is accessible to medical professionals in training, and virtually anyone with intermediate computer skills who cares to gain access to it. Whats the incentive? I am not totally sure, but can imagine a few scenarios based on whatever is going on in other sectors.
The thieves might attract potential employers who may wish to screen medical information about prospective employees. You might never get the call for an opportunity if you had any negative health history. Perhaps online bank thieves who need your name, social security number, mothers maiden name and other relevant identifiable data to gain access to a financial system. Or a potential long term relationship goes south suddenly because one party learns something negative about the other.