Real Hospital Information Security
I recently had the displeasure of visiting the hospital emergency room when a family member needed some urgent care. Thankfully, everything turned out OK, so while I was sitting there waiting (and waiting.. and waiting), I had the opportunity to observe some information security practices in action.
Doctors and nurses were making heavy use of laptops, both on portable carts and by simply (awkwardly) carrying them around. Clearly, a wireless network was in use. Of course I didn’t attempt any actual assessment other than observing how people handled information.
While we was seeing the patient, one doctor placed his laptop on a trash can with a slightly pitched lid. I noticed that the laptop was starting to fall while he was, well, being a doctor, and intercepted it before it could crash to the floor. He was just trying to do his job (being a doctor that is, not a techie).
The intake lady (I don’t know what her title was) handed me a bunch of legal agreements to be signed. These were basically consents for treatment and payment, without which I assume we would not have been seen.
The forms simply had big X marks where I was supposed to sign. I noticed that most of the areas where one had to make a choice were not filled in. For example: did I wish to allow electronic access to the records or not? If I followed the instructions of the intake lady I would have simply signed on the dotted line, while my silent choice could have easily been made for me later.
I opted out of access to electronic information, but as I was waiting (and waiting.. and waiting), I started to wonder if that was the wrong choice. The form asked if I wanted to allow authorized users access to electronic information. It did not speak to the storage of said information, which undoubtedly is still electronic. So by not allowing authorized users access to information which is likely already stored electronically, I may have simply made their job harder, while the bad guys, who don’t care about access controls and agreements, might have a crack at it anyway.
The information security problems I observed had little to do with technical security. One doctor was struggling with an awkward laptop. That laptop almost became a write-off and would have probably resulted in some downtime for his to access information (availability). Another problem had to do with consent to access information. While it seemed to be well-intentioned (and probably mandated by HIPAA), the net security effect of my decision didn’t seem to matter much.
Information security is about allowing people to do their job effectively and getting out of the way. It is our job as security professionals to study how other professions operate so that we can enable them to work effectively, with safety of information built into that workflow. It is also about finding the subtle nuances of the controls we put in front of people and thinking it through the entire way. It’s a game of “what ifs,” which often leads to surprising conclusions.