A new articile “IT security problems continue” is one of many articles that seem to hint that Healthcare IT, EHR, PHR, and all of the Healthcare Internet are stalled because of IT Security Issues. Yet Nowhere is there an list of these Issues. This article points at a press release “Hacker Attacks Targeting Healthcare Organizations Doubled in the 4th Quarter of 2009 according to SecureWorks’ Data” by a security vendor “SecureWorks”.
Actually the security vendor press release is more informative than the ‘news’ article. The press release is pointing out that based on statistics that they have from their customers, attacks on healthcare have increased where others have not. This seems to indicate an intentional shift in the attacker community.
SecureWorks®, Inc., a leading global provider of information security services protecting 2,700 clients worldwide, reported today that attempted hacker attacks launched at its healthcare clients doubled in the fourth quarter of 2009. Attempted attacks increased from an average of 6,500 per healthcare client per day in the first nine months of 2009 to an average of 13,400 per client per day in the last three months of 2009. Attempted attacks against other types of organizations, protected by SecureWorks, did not increase in the fourth quarter. MoreThis vendor then goes on to advocate for “Defense-In-Depth”, and implementation of the kinds of services that they offer. All good ideas. What they don’t cover is some architectural solutions that can be put inplace.
The alternative architecture that I have been advocating for, due to my involvement, is the model around an XDS based HIE. In this model each healthcare organization will be making outbound connections to some common infrastructure, and only needs to have one inbound connection. There is a central set of services (Registry, PIX Manager, PDQ Manager, Audit Record Repository, Time Source, and XCA Gateways) that do need to be highly protected.
As an architecture the XDS family has other Privacy and Security benefits that are beyond this core approach. These are nicely outlined in an IHE white paper on Security and Privacy in an HIE