Hospitals exist to take care of patients, not to write software, so they typically purchase it from third parties.
HIPAA covers only health care and insurance providers but not the companies that produce software used in health care. How can the health care industry comply with HIPAA if the software companies are not accountable for the security of their products? Let's continue with our hypothetical visit to the hospital to uncover other software vulnerabilities and learn more about the importance HIPAA vendor compliance management.
The doctor runs you through a couple of tests to assess your condition. You are attached to a PC where an electrocardiogram is run. Little do you know that the administrative passwords on these PCs are the same at every hospital that uses them. The doctor then accesses your test results over the Internet using a laptop computer. When the doctor leaves, you notice that your results remain on the laptop screen for all to see.
After the EKG, the doctor orders a chest X-ray to take a closer look at your heart. A contracted radiologist in another country reads the image through the Internet via a Web server that accesses your information from the radiology database with a single administrative password sent in clear text. Although the data is SSL encrypted, the vendor doesn't know about Web server hardening or secure Web application development. The server is also several months behind with critical patches because the vendor has not yet authorized them.
The doctor determines you need an operation, but when you are wheeled into the hospital's heart center for the procedure, you are unaware that the software vendor for the hospital is working on the cardiology treatment application. The vendor uses a VPN that's always on, with a single username for all of its support staffers who have administrative access to the database.
Next, the nurse starts your IV. The IV pump sends information over a wireless connection to the pharmacy system. The data is encrypted with the notoriously insecure WEP protocol which, if compromised, would allow access to the entire pharmacy system and all the personal patient data in it. You are attached to the patient monitor that displays your heart rate and other vital signs. This monitor is actually a computer and once again, it has the same administrative password as every monitor at every hospital that purchased the device.
After your surgery, the nurse removes a pain medication from an automated dispenser. This dispenser is a Windows 2000 computer; the vendor has not tested Windows XP. The technician who installed the unit configured the hard drive so users can access it anonymously with root privileges -- to make servicing easier.
Surgery is frightening enough without having to worry about the security of the computer systems involved in your care. Not only is your personal information at risk but so is your safety. The security requirements for health care pale in comparison to those for online banking. Is your health information any less valuable than your financial data?
It is time health care software vendors take security seriously. If they were covered entities under HIPAA, it would be a big step toward providing secure electronic patient health records.