I’ve been having a background email conversation with Lisa Williams who covers many medical blogs as part of her blog Learning the Lessons Of Nixon and kindly refers back to me. (Lisa does seem to think this is a blog just about scandals in health care. I keep trying to tell people that this is an objective blog about the entire health industry, but they’ll call it the way they see it, and there have been a few naughties lately!). Regarding my post on Wi-Fi security, Lisa writes:
I was at a healthcare facility — a hospital which will remain unnamed — and found an unsecured wireless LAN by accident. It should be noted, however, that access to a LAN emphatically does not mean that you can get access to patient records. Each system which does something for users — an email system, a database containng records, a billing system — may be connected to a network, but just because you’re on that network doesn’t mean it’s any easier for you to get into that system if you are not authorized to be there. It’s sort of like houses on a road: Just because you can get on a street where there are houses doesn’t mean that you can automatically let yourself in to any house. It’s worse, even, because being on a computer network won’t give you the same cues that a system with data is nearby, the way your eyes will if you are walking down a street that there is a house nearby — you won’t know if there’s a door or where it is, or if you get there, how to open it. The example you gave regarding your own LAN only shows how unsecure consumer software is; most people don’t bother to have a password when they boot up their machine, and so, when connected to a network, that machine is wide open. But almost any program in a work setting requires logon. So, by all means, secure your network, but the best security is always provided at the "house" level rather than at the "road" level.
It’s worth noting that workers in many healthcare settings do have Windows laptops that aren’t much (or any) different than what you or I have at home. Would those contain personal information on a patient? What about email? Sure. I suspect the "big" systems that are central to containing registries of health data require *at least* password authentication, and have other forms of security. The problem is securing PCs. My husband works for a company that lets you configure hundreds of PCs over a network simultaneously. Who are the biggest new customers? Hospital chains and HMOs. Sure, they probably use it to install the latest virus patch, but I wouldn’t be surprised to have someone use it to say, Okay, everybody’s PC that we own here is going to have X security software and settings, period.
If the individual PCs aren’t secure, then wireless does increase the risk, because walking around with an ethernet cable looking for a jack in a hospital or doctor’s office is gonna attract some attention! And sitting there with a wifi device isn’t.
I’d only add that the Laptop PC security management problem Lisa brings up will be expanded by the numerous PDAs and smartphones that will be making their way into clinicians’ hands in the next few years.