Health IT: What Can Go Wrong
In December 2008, a PC used to check digital images rebooted in an operating theatre in mid-surgery at the Sheffield Teaching Hospitals Trust in England. After managers decided to disable automatic security updates to solve the problem, hospital computers were promptly infected with the Conficker worm. [link, link, and link]
The hospital system tried to keep the problem secret, warning staff not to make details of the outbreak public. When that failed, the trust said that the worm infection had not cost the public any money, "just time and effort by the IT teams." Clean-up continues.
The failure did harm patients when some appointments in the medical imaging department were canceled. This is no small matter in health systems with extensive waiting lists. As of November 2008, Sheffield had 584 people waiting for MRIs, 375 people waiting for CAT scans, 587 people waiting for non-obstetric ultrasounds, and 1,214 people waiting for DEXA. More than a third of the MRI patients had been waiting more than 3 weeks. [link]
The Trust had warnings about the worm, but apparently lacked the ability to apply software patches in a timely fashion. Microsoft had released a patch for the Conficker worm on October 23, 2008. On the same day, it published Security Bulletin MS08-067 showing users how to protect their systems from the worm. US-CERT also issued an alert that day. It directed readers to update their systems. On November 11 it repeated the warning, again encouraging the use of automatic updates for Windows based systems. Though Sheffield hospitals apparently had health IT, it was health IT without basic security measures.
The worm also crashed the computer system at New Zealand's Ministry of Health. The infection was contained by isolating the 12 Health Ministry offices. Workers were not allowed to use email or the internet. [link] Though the Health Ministry could not do its work, it reported that health services were unaffected.
The New Zealand Health Ministry is not the only government health agency with IT vulnerabilities. In 2006, the GAO reported numerous vulnerabilities in information security at the U.S. Centers for Medicare & Medicaid Services. It concluded that the vulnerabilities were serious enough to "place medical data at risk." [link] The GAO said officials would not necessarily know if a breach had occurred because documentation of computer network use was inadequate. In addition, the agency "did not ensure the application of timely and comprehensive patches and fixes to system software."
Fascinating.
Agree. We almost never hear about the down side of these systems.