Help or hindrance The practicality of applying security standards in healthcare

The protection of patient information is now more important as a national e-health system approaches reality in Australia. The major challenge for health care providers is to understand the importance information security whilst also incorporating effective protection into established workflow and daily activity. Why then, when it is difficult for IT and security professionals to navigate through and apply the myriad of information security standards, do we expect small enterprises such as primary health care providers to also be able to do this. This is an onerous and impractical task without significant assistance. In the development of the new Computer and Information Security Standards (CISS) for Australian General Practice, a consistent and iterative process for the interpretation and application of international standards was used. This involved both the interpretation of the standards and the application of knowledge to create a practical but acceptable level of security for the primary healthcare environment. From a security perspective such practical application of standards poses the dichotomous challenge (and criticism) of how much security is sufficient versus how much can the primary healthcare environment manage. This paper describes the path of development from standards to implementation using the CISS as an example. It is concluded that more practical assistance is required by the security profession to support the national e-health initiative if Australia is to provide a safe and secure healthcare environment

Is Cyber Resilience in Medical Practice Security Achievable?

Australia is moving to a national e-health system with a high level of interconnectedness. The scenario for recovery of such a system, particularly once it is heavily relied upon, may be complex. Primary care medical practices are a fundamental part of the new e-health environment yet function as separate business entities within Australia’s healthcare system. Individually this means that recovery would be reliant on the self-sufficiency of each medical practice. However, the ability of these practices to individually and collectively recover is questionable. The current status of information security in primary care medical practices is compared to the needs of information security in a broader national e-health system. The potential issues that hamper recovery of a national system are the poor understanding of security at the end-user level currently, and the lack of central control. This means that in this environment where independence is promoted, the major concern is national coordination of recovery from a major incident. The resilience of a medical practice to cope with a cyber-security incident is important. Resuming normal activity within an acceptable time frame may be vital after a major attack on Australia’s infrastructure

Information Warfare: Time for a redefinition

Information warfare has become an increasingly diverse field. The changes to its composition have been primarily driven by changes in technology and the resulting increased access to information. Further, it has been the progressively more diverse methods available for communication that has fuelled expanding applications for information warfare techniques into non-military environments. In order for younger generations of students to understand the place of information warfare in the larger security picture, there is a need to shift the emphasis from many of the military underpinnings to its relevance in modern society and the challenges in the commercial environment. This paper provides a platform for discussion of the sphere of information warfare and its relevance to contemporary society. Whilst the methods of information operations and the understanding of military origins have not changed, the manner in which the topics are presented and how these relate to today’s corporate environment and increasingly global society have become a new focus. The importance of this is to make information warfare relevant to today’s generation of students and to develop information strategists rather than information specialists who can function effectively on a global stage

Big data in healthcare: What is it used for?

Big data analytics is a growth area with the potential to provide useful insight in healthcare. Whilst many dimensions of big data still present issues in its use and adoption, such as managing the volume, variety, velocity, veracity, and value, the accuracy, integrity, and semantic interpretation are of greater concern in clinical application. However, such challenges have not deterred the use and exploration of big data as an evidence source in healthcare. This drives the need to investigate healthcare information to control and reduce the burgeoning cost of healthcare, as well as to seek evidence to improve patient outcomes. Whilst there are a number of well-publicised examples of the use of big data in health, such as Google Flu and HealthMap, there is no general classification of its uses to date. This study used a systemic review methodology to create a categorisation of big data use in healthcare. The results indicate that the natural classification is not clinical application based, rather it falls into four broad categories: administration and delivery, clinical decision support (with a sub category of clinical information), consumer behaviour, and support services. Further, the results demonstrate that the use of big data in all examples in the literature is not singular in its approach and each study covers multiple use and application areas. This study provides a baseline to assess the proliferation of the use of big data in healthcare and can assist in the understanding the breadth of big data applications

Trusted interoperability and the patient safety issues of parasitic health care software

With the proliferation of software systems and products in the healthcare environment, it is increasingly common for such software products to be constructed in a modular design. However, for modular software to be securely interoperable with other software products requires agreed consistent and accountable interfaces. This agreement may take the form of bilateral vendor to vendor arrangements or via a trusted external third-party who coordinates agreed interaction methods, such as a jurisdiction. Standards are a particular form of mutually trusted third party. Unfortunately, this agreed method of interoperability is not always present in vendor software. Where one software product or module interacts with another, in the absence of any agreement, it is referred to as ―bolt-on‖. It is perhaps more descriptive to refer to such software in terms of its potential to cause harm and refer to it using the biological analogy of ―parasitic‖ software and associated ―host‖ software. Analogous to biological systems, parasitic software can operate by data injection into or data extraction from, the associated host database. Both forms of parasitic software exploit access mechanisms or security flaws in the host software independent of the host vendor and in ways not intended or supported by the host vendor. This paper discusses the mechanics of this security vulnerability and more importantly, the potential adverse consequences to patient safety of such susceptibilities. As Australia moves to a national connected e-health system these issues are causes for grave concern. This paper provides a case study of this insecurity to highlight the problem, promote discussion and encourage potential change

Small Business - A Cyber Resilience Vulnerability

Small business in Australia comprise 95% of businesses. As a group this means that they contain increasing volumes of personal and business data. This creates escalating vulnerabilities as information is aggregated by various agencies. These vulnerabilities include identity theft and fraud. The threat environment of small business is extensive with both technical and human vulnerabilities. The problem is that the small business environment is being encouraged to adopt e-commerce by the government yet lacks resources in securing its cyber activity. This paper analysed the threats to this situation and found that questions of responsibility by individual businesses and the government are fundamental to the protection of small businesses information. Ultimately this raises the possibility of an undefined and unrecognised major vulnerability for Australia

Trusted interoperability and the patient safety issues of parasitic health care software

With the proliferation of software systems and products in the healthcare environment, it is increasingly common for such software products to be constructed in a modular design. However, for modular software to be securely interoperable with other software products requires agreed consistent and accountable interfaces. This agreement may take the form of bilateral vendor to vendor arrangements or via a trusted external third-party who coordinates agreed interaction methods, such as a jurisdiction. Standards are a particular form of mutually trusted third party. Unfortunately, this agreed method of interoperability is not always present in vendor software. Where one software product or module interacts with another, in the absence of any agreement, it is referred to as “bolt-on”. It is perhaps more descriptive to refer to such software in terms of its potential to cause harm and refer to it using the biological analogy of “parasitic” software and associated “host” software. Analogous to biological systems, parasitic software can operate by data injection into or data extraction from, the associated host database. Both forms of parasitic software exploit access mechanisms or security flaws in the host software independent of the host vendor and in ways not intended or supported by the host vendor. This paper discusses the mechanics of this security vulnerability and more importantly, the potential adverse consequences to patient safety of such susceptibilities. As Australia moves to a national connected e-health system these issues are causes for grave concern. This paper provides a case study of this insecurity to highlight the problem, promote discussion and encourage potential change

Avoiding epic fails: software and standards directions to increase clinical safety

The safety issues related to IT and software are gaining more exposure within the Healthcare industry. While software and computing was seen as a panacea to a range of preventable clinical errors, the introduction of healthcare IT has of itself presented patient safety issues. It is the inherently complex nature of healthcare, and its delivery, that creates increasing patient safety concerns in the application of IT and software. This position paper provides a collation of current work in international standards and highlights the drivers for the necessary change required to address patient safety in the use of healthcare IT software and systems. Software development and deployment has already altered and standards to oversee these are only just catching up. The need to revise such standards has been recognised and is underway, however a clash of cultures is delaying the emergence of Standards traditionally developed and governed by Standards Development Organisations (SDOs). The impact of this is that whilst standards are being informed by current software trends, the standards developers themselves are struggling to assimilate the rapid changes in the market. Whilst SDOs are cooperating more closely, there is an increased need for the involvement of the healthcare software development community and e-health informaticians in the standards process to narrow the gap in standards relevance. Such involvement would expand the currently narrow field of experts with the appropriate skills, background, knowledge, and experience in healthcare software risk analysis, security, privacy, and standards development

International Relations and Cyber Attacks: Official and Unofficial Discourse

The potential for cyberwarfare is vast and is of concern to all nations, and national security defence. It appears that many countries are actively trying to protect their computer networks, whilst looking for ways that might bring down the networks of other countries, although this is not officially acknowledged. Bringing down another nations computer networks could give the attacking national intelligence and control. These kinds of interactions are now a part of the way in which international relations are played out, and the internet is also a place in which international relations are contested. As such the internet plays a role in the visualisation and articulation of international relations both officially and unofficially, via official pronouncements and the activities of private citizens. What makes the internet different to other media forms is that the internet also represents a space in which international relations are contested in terms of cyber attacks and information warfare. This paper analyses official and unofficial discourses surrounding the way in which international relations in regards to cyber attacks have been played out via the internet, using North Korea and Stuxnet as case studies

The hare and the hortoise [sic]: The potential versus the reality of eTP implementation

In a health system increasingly driven by cost constraints, there is a focus on improved electronic transfer of information to support healthcare delivery. One area of healthcare that has moved more quickly than others to achieve this is prescribing in the primary care environment. Whilst the move to electronic transfer of prescriptions has reduced transcription errors, the regulatory environment persists with handwritten signatures. This constraint, whilst addressed slowly with technology solutions, needs support from legislative change. The ultimate step is to have a secure mobile model, which would support the move to a fully-electronic, paperless transaction model