Thursday, January 21, 2010

Operation Aurora And a Widespread Reluctance to Discuss IT Flaws: Is Universal Healthcare IT Really a Good Idea in 2010?

In an essay that ties together recent expos�s of serious IT security flaws (starting with Operation Aurora) and a culture of secrecy that pervades the IT industry and industries who use IT, I ask the question:

Is universal healthcare IT really a good idea in 2010?

The complete essay is at my academic site at this link.

Operation Aurora was a cyber attack, conducted in mid-December 2009 and apparently originating in China, against Google and more than 20 other companies, including Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman and Dow Chemical.

The attack used "0-day" vulnerabilities (newly discovered and unknown to the software vendor, i.e., "day zero" of the vendor's knowledge of the defect) in Microsoft's Internet Explorer. One target was Google's email service, Gmail. It is not unrealistic to suspect that successful break-ins to that service could have gotten dissidents jailed or killed. Entire countries have warned users to switch to other browsers, at least until a vulnerability fix can be found. I find this stunning.

I also bring to bear recent reports of a culture of secrecy among IT vendors and users about these defects and vulnerabilities. This culture of secrecy seems prevalent in health IT, with perhaps even higher stakes for people (patients) when systems malfunction.

The essay is long-ish and at times technical.

The IT issues it addresses, though, are at the root of why I believe the current push in health IT is a bad idea and that we need to "slow down" to a more temperate pace.

Again, the full essay is here.

-- SS

1/24/2010 Addendum:

It appears Microsoft has known about the Internet Explorer bug since Sept. 2009.

The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

Actually, this was not a "zero day attack", but a "120 day attack." One wonders if EHR vendors have similar queues.

-- SS

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...