In Star Trek I never saw Dr McCoy texting Spock or playing Angry Birds on the medical tricorder, which may be why I never saw him swearing over it because he had to type in an eight-digit passcode because of an MDM policy. Bones would just wave it over someone and poof!—instantaneous and accurate diagnostic results. No mobile malware to slow it down or exfiltrate ePHI.

Today’s tricorder technology, tablet computers and smart phones are helping transform the health care industry by providing anywhere, anytime access to electronic medical and health records (EMR/HER). Even now changing dentists often means having paper records copied and snail mailed from one practice to another. And since x-rays are difficult to copy, the gaining practice had to take a whole new set of films.  Today x-rays can be produced digitally, copied at will with no loss of fidelity, and transferred as soon as they’re taken—no manual processing needed—and delivered to the doctor on a PDA tablet.

Technology is enabling not only interconnected health data, but a connected health experience for the patient, caregiver, payers, and pharmacies. Immediate results mean less anxiety for patients, and quicker diagnoses and treatment plans. Connected health also means caregivers can monitor patient outcomes even after they’ve left the clinic or been discharged from the hospital, allowing all parties to interact toward a more timely recovery and avoid mistakes.

But this utility is encumbered with a heavy security burden. In fact, the U.S. Department of Homeland Security classifies the heath care system as national critical infrastructure. In addition to the same threats that all organizations face, health care organizations have to protect patient data, and there’s cause to be concerned just from the headlines in the last year or so:

  • 34,000 patient files were compromised when a contractor’s laptop was stolen from his car
  • A hacker in Eastern Europe broke into a state owned computer in Utah and stole 800,000 records–more than 1/4 of the state’s population
  • Backup tapes were stolen from a health insurer for the military. 5 million patient records were compromised, the biggest health data exposure to date
  • A hospital insider accessed patient records of a period of 17 months and sold them

The health care industry is a lot like the security industry: no one wants to have to call on either, and we often wait until it’s too late to invest in both health care and information security. Health care is currently focused on early detection, and while we profess to have the same goal in information security, it’s clear that we’re not doing a great job: the majority of system compromises go unnoticed for months, according to the 2011 Verizon Breach Report. A once-a-year check up is too infrequent and gross a test to catch all but the most obvious ailments, the same way manual log analysis is ineffective at early detection of attacks.

We have an advantage in information security over health care, though: the capability to perform continuous and non-invasive monitoring. Medical diagnostics are getting less traumatic with transcutaneous blood-gas monitors, dielectric and near-infrared spectroscopy for blood glucose monitoring, ultrasound for cardiac and fetal development monitoring, but we’re a long way from the medical tricorder.

But predictive analytics can be applied to determine whether consumers are making smart food choices. Health providers and payers could collaborate to provide discounts to patients who continuously eat to stay healthy, using supermarket loyalty cards to track food purchases, and WiFi-connected heart rate monitors to establish a pattern of exercise and record vital statistics on a frequent basis. These are only a couple of possibilities: there’s a practically endless supply of ideas that could fuel a whole industry, contributing to not only a healthy population, but a healthy economy.

IBM’s own Watson is in the process of retraining from being a Jeopardy champion to a medical diagnostician. Watson is able to ingest patient history, compare diagnostics with other patients with similar symptoms and backgrounds, assimilate new research from unstructured sources such as medical journals, and arrive at a more accurate diagnosis more quickly than most doctors.

All of this should percolate into a health dashboard, available to patients, caregivers, payers, and goods manufacturers, with different levels of detail based on role and associated need to know. The system has to be transparent and intuitive, and security needs to be baked in, not added on.

Healthcare has more complex requirements than many other industries. They’re not only concerned with common threats like script kiddies, malware, and  hacktivists—especially given the political climate in the use around the health care reform law; healthcare organizations also have to protect electronic protected health information (ePHI) against exposure. This requires vigilance against deliberate records fraud as well as accidental leakage of personal information. For example, a clinician may access the records of a celebrity admitted to the hospital to sell the diagnosis to the media, or looking up their neighbor’s health history out of curiosity or for ammunition in a clan feud. Identification of this broad set of threats requires total visibility and sophisticated analytics only found in Security Intelligence.

It’s appropriate that the same type of analytics that can be used to monitor health choices and diagnose medical conditions can also detect exposure of ePHI and medical fraud. They both involve consuming enormous amounts of wildly diverse data, interpreting it in the context of the problem at hand, and correlating seemingly unrelated information to yield an accurate and actionable conclusion. Said otherwise, they both involve the application of intelligence, which will transform the healthcare industry just as it has for security.

To learn more about the transformation of health care with security intelligence, read Chris’s article at SecurityWeek.

Original Post on