Tuesday, March 3, 2009

Safety of the data means more than protecting information

Unplanned Security - It can be life threatening..

Imagine for just a moment that it's 6:30 a.m. and you are a patient in a hospital waiting for surgery. It's a routine operation to remove your gall bladder (one of those throw-away parts), and no big deal. What you don't know, however, is that the hospital's computer network was recently redesigned. The support staff moved all of the critical applications from the mainframe to a distributed network environment. In the rush to move from one platform to another, management never developed security policies and procedures for the new systems. So the hospital support staff never configured security. On the surface, the right-sized network is running smoothly. Underneath, however, anyone on the hospital network can steal, modify, or destroy patient information on the servers.

Yesterday, when you were admitted to the hospital, you had some pre-op testing done to make sure that you don't have an infection. They did blood work and a chest X-ray -- the standard pre-op stuff. You wake up early the nexy day, 4:00 a.m., and your surgery isn't for several hours. You wake up because you're little nervous about getting that gall bladder removed. After considering the problems it was giving you, you decide you will be better off without it. Feeling calm, you fall back to sleep and have a few pleasant dreams.

Siz a.m., rolls around. The doctor calls down from the operating room. He tells the nurse that he wants the results of your pre-op tests sent with you to the operating room. Since the results haven't come back to the floor yet, the nurse logs into the computer to get your results. They are normal. Or, atleast they are now.

What your nurse doesn't is that a hacker broke into the server and changed your test results from abnormal to normal. Before the information was modified, the results of your lung X-ray review noted a questionable shadow -- maybe just congestion, or maybe pneumonia. Results that would tell your doctor to postpone the surgery to avoid possible complications that could lead to resporatory failure.

Since your doctor doesn't get those results, he operates anyway. Your gall bladder takes the route your tonsils fell to many years ago. It appears to have been a successful operation. That is, until the anesthesiologist notifies your surgeon that he can't seem to get you off the respirator. He orders a repeat chest X-ray which shows a dense pneumonia. He then requests your pre-op X-ray that shows a smaller shadow in the same area. He calls your surgeon wanting to know why he did an elective surgery on patient with preexisting pneumonia. Your doctor can't be reached because he is busy filling out your dead certificate. Guess what? Your lungs gave out -- your are dead.

This is one case when the safety of the data means more than protecting information -- it means protecting lives. Pretty scary when you consider just how much real hospital rely on their computers. Just imagine....

No comments: