By Bill Reid, SVP of Product Management and Partners, SCI Solutions
Question: would you go seek out care from a provider who used outdated equipment to take care of you?
I am sure most would say, “No way, I want providers that use the state-of-the-art technologies – for the cost of care these days that is what I would expect.”
We go into shiny facilities with watered lawns, clean halls and staff in laundered white lab coats. We read about the latest gamma knife deployment, robotic surgery and transplantation of every major organ. We can do amazing things these days.
And yet, we seem unable to upgrade basic computer technologies.
Microsoft released Windows XP back in 2001. A couple of years ago, the company, after what is a reasonable support period of well over 10 years, said it was time to upgrade and that they would no longer be supporting the product.
So what did healthcare IT do with this announcement? It seems not a lot. In a May 2014 article in Healthcare IT News, Mike Miliard noted that “…security experts guess that 15-25 percent of the world’s PCs still run on the system. It’s a safe bet that includes an untold number of machines at physician office practices and small hospitals nationwide.”
Guess what – more than a year later – we still see a significant amount of XP use.
I had the opportunity to work at Microsoft on improving the security of XP and the follow-on release of XPSP2, and we did an enormous amount of work to improve the security capabilities of the product, but security is not a one-time exercise. It is a maintenance discipline. It never stops. So when support stops, and when engineers stop working on patching the latest vulnerabilities exposed by new sophisticated attacks and evolving threats, it is like stopping mowing the lawn. It doesn’t take long for the weeds to overtake the nice lawn. It’s like you never planted it.
Health care organizations, unfortunately, seem to be attractive targets for attack, so the failure of organizations to invest and maintain makes the situation worse. The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, released May 2015, stated:
“Data breaches in healthcare continue to put patient data at risk and are costly. Based on the results of this study, we estimate that data breaches could be costing the industry $6 billion. More than 90 percent of healthcare organizations represented in this study had a data breach, and 40 percent had more than five data breaches over the past two years. According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million. No healthcare organization, regardless of size, is immune from data breach. The average cost of a data breach to BAs represented in this research is more than $1 million. Despite this, half of all organizations have little or no confidence in their ability to detect all patient data loss or theft.”
The report goes on to state:
“To respond quickly to data breaches, organizations need to invest more in technologies….58 percent of healthcare organizations agree that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft. However, less than half (49 percent) agree they have sufficient technologies.”
Ok. Windows XP is by no means the cause or main vector of attack – but it is a “canary in a coal mine” for the investment approach toward security in health care. Show me an XP desktop and I will show you other examples indicating a lack of security investments.
Unfortunately, it is not just a few records that are being put at risk – computing technology runs and is core to all that other cool stuff I mentioned in the opening. It is the core of the EMR, it is what is used for maintaining the tissue matching software and systems for transplants, it is used to plan the radiation treatments, it is running advanced life-support systems, it is scheduling resources and it is running power systems in the shiny halls.
We can’t solve this issue overnight – but we can perhaps we can free the canary and fix the front line systems. Let’s let XP retire. It worked hard for us for a long time, but it needs a rest. It is time to think about new systems, often cheaper to buy and to operate than ever before. Let’s put some full-drive encryption on those machines, too, while we’re at it.
Let’s replace the rusty scalpels.