Home > Information Security Magazine > Columns > Perspectives
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Perspectives
by Joseph Granneman
Issue: Oct 2007
printer-friendly
licensing & reprints
< PREV PAGE   |   1  |   2  |   NEXT PAGE  >

Software used in health care is rife with vulnerabilities. It's time vendors shape up.


Your doctor recommends you have an angioplasty to clear the arteries to your heart. At the hospital, you start in the admissions department, giving all your personal information to a stranger who enters it into a computer. What you don't realize is how vulnerable your personal information has just become and how many people who have nothing to do with your health care now have access to it.

Hospitals exist to take care of patients, not to write software, so they typically purchase it from third parties. HIPAA covers only health care and insurance providers but not the companies that produce software used in health care. How can the health care industry comply with HIPAA if the software companies are not accountable for the security of their products? Let's continue with our hypothetical visit to the hospital to uncover other software vulnerabilities.

The doctor runs you through a couple of tests to assess your condition. You are attached to a PC where an electrocardiogram is run. Little do you know that the administrative passwords on these PCs are the same at every hospital that uses them. The doctor then accesses your test results over the Internet using a laptop computer. When the doctor leaves, you notice that your results remain on the laptop screen for all to see.

After the EKG, the doctor orders a chest X-ray to take a closer look at your heart. A contracted radiologist in another country reads the image through the Internet via a Web server that accesses your information from the radiology database with a single administrative password sent in clear text. Although the data is SSL encrypted, the vendor doesn't know about Web server hardening or secure Web application development. The server is also several months behind with critical patches because the vendor has not yet authorized them.

The doctor determines you need an operation, but when you are wheeled into the hospital's heart center for the procedure, you are unaware that the software vendor for the hospital is working on the cardiology treatment application. The vendor uses a VPN that's always on, with a single username for all of its support staffers who have administrative access to the database.

< PREV PAGE   |   1  |   2  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts