HEALTH providers need to instil a culture of security when safeguarding their medical data to avoid becoming the weakest link in the national eHealth system, according to ECU researchers.
Dr Johnstone says the health industry’s lack of attention to security makes developers less likely to include advanced security protocols into their products. Image: iStock
Security experts at ECU’s Security Research Institute say security is not well regarded by medical professionals and is usually an afterthought they are reluctant to invest time and money in.
“Security as part of requirements engineering is now seen as an essential part of systems development in several modern methodologies,” senior lecturer Mike Johnstone says.
“However, medical systems are one domain where security is seen as an impediment to patient care and not as an essential part of a system.”
He says this attitude makes developers less likely to include advanced security protocols into their products.
“Unfortunately, most software is insecure. This is due to the tension between functional requirements [as seen by a customer] and security requirements [which often are not],” Dr Johnstone says.
“Security is often relegated when shipping dates approach because developers know clients see functionality and don’t think about security as much.”
ECU senior lecturer Trish Williams says the weakest point of the upcoming national eHealth system is with the end users such as health practices and hospitals.
She says there is no security culture among medical practitioners which keeps it from becoming an integral part of operations.
“Medical systems appear especially problematic as their primary focus is patient care and security is either assumed or ignored,” she says.
“One of the reasons security gets such a bad rap is because we don’t integrate it well into clinical workflow.
“It’s not their core business, to do security, so it tends to be an overlay on top and not particularly well integrated.”
Instead, health providers’ data storage choices are often driven by cost and how well they and their IT staff, if they have any, understand computing.
Dr Williams says medical practitioners are even less likely to take records security seriously because they lack the skills and protocols to even detect intrusions if they happen and thus assume they don’t have a problem.
“If they did have any breaches they probably wouldn’t even notice them,” she says.
“Health is also a very trusting environment, which means practitioners are naturally less suspicious of security issues that we might think of.”