.

 

A recent incident reported from a Hospital in US, has brought to focus the security hazards of computerization in the health industry. It has been reported in the instant case that a patient in a hospital was wrongly given a bar coded wrist band that indicated certain contra indications about his diabetic condition. The mistake could have caused administration of wrong drugs which could have been fatal to the patient.

This is just the tip of the iceberg when one analyses the risk of computerization in a critical industry like the Hospital industry. This is not to say that computerization does not have its advantages. In fact use of IT in Health care is of critical importance to the future generation. However what is important to note that in other forms of E-Commerce, a mistake or a "Security Lapse"  could lead to a financial loss while in the case of the Hospital industry, it could be a "Life and Death" problem.

So, How does the industry respond to these concerns of the health Industry? What is the role of "Tele Medicine Act" which is in the back burner in the regulator's chest?.. are some issues we need to ponder upon.

While the above case in the Hospital could be treated as one of "Negligence", "Inefficiency" or "Human Error", it cannot but be dismissed that more serious consequences could result from "Criminal" intentions executed through the computerized systems. These are "Cyber Crimes" in the Health Industry.

Presently the Hospital industry through out the world and more so in India is in the process of absorbing more and more technology into its operations and the "Risks" arising out of "Technological Failure", "Technological Inefficiency" and "Technology misuse" are yet to be the focus of computerization programmes.

It is necessary to point out that unlike say in an e-Governance project where we can take the stand.."Let us first start using Technology.. and then address security issues", we need to address the security issues in the Hospital projects concurrent with the initial computerization.

One key to this "Security in Computerized Hospital Environment" is to shift the focus of Security projects from "Technical Security" to "Techno Legal Security" and to undertake "CyLawCom audits" of Hospital systems.

The reason why "Legal Compliance Focus" could bring in an improvement to the system is that the management would be made aware of the consequences of "Medical Negligence" arising due to "Weak Technical Security".

By nature the IT Managers would focus on "Functionality" and Technical Security Mangers focus on "Intrusion Prevention". On the other hand "Techno-Legal Security Mangers" focus on "Consequences of Failure of Technical Security". Since the starting point of this process is "What if Technical Security is Breached"?, there is no psychological self assurance that "My Security is the best. This cannot be breached".

This also brings us to an important management concern on "CyLawCom Audits" which are audits of computerized environment with a focus on compliance of all legal issues concerning the management of business in the electronic environment and addresses the consequences of Cyber Crimes and Cyber Negligence on the owners of "Information Assets" and the needs of the "Information Asset Insurers" of "Who should conduct such audits?".

It appears that since the focus of the "CyLawCom audit" is "What if the Technical security is breached"?, the CyLawCom audit has to be conducted by a team which is different from the one that implements the Technical Security and should question several assumptions that the Technical security team makes as a "Management Assurance". It is difficult for the Technical Security implementers and auditors to also double up as "Techno Legal Security implementers and auditors" since one starts with the assumption that the other fails.

However the CyLawCom auditors must be able to understand the technical security risks and measures taken to mitigate them and assess their reasonableness so that they can certify what could be considered as "Due Diligence" in a given environment.

Hopefully, the best of the technical security managers who are open minded and capable of self criticism would with the acquisition of Cyber Law knowledge emerge as the "Techno legal security managers" over a period of time.