HIMSS09: news from the windy city
There had been fears that companies and experts would stay away from this year’s Healthcare Information and Management Systems Society (HIMSS) conference in Chicago. But in the end, numbers were just 5 per cent down on last year’s event in sunny Florida. The US government’s massive injection of funds into electronic health records and other technologies helped. But there were plenty of other interesting presentations and launches. Neil Versel reports.
As technology slowly but surely becomes the norm in healthcare settings, the challenge of securing massive amounts of sensitive data continues to grow. But even the greatest firewall or password set-up in the world can be helpless in the face of a little charm.
“I still can’t go to Windows Update and download a patch for stupidity.”
Social engineering—sweet-talking someone into divulging information to obtain access – is really much easier than actually hacking a system. And it’s often is more than 99 per cent effective, according to superhacker-turned-security-consultant Kevin Mitnick.
“There’s no incident response platform in place because you aren’t expecting it,” Mitnick said in a well-attended session at the Healthcare Information and Management Systems Society’s (HIMSS) conference in Chicago.
“To have a really effective security programme, you have to think about your technology, your processes and people,” Mitnick advised. Especially your people. “I still can’t go to Windows Update and download a patch for stupidity,” he pointed out.
People: helpful, trusting, easy to con
According to Mitnick, who spent five years in prison in the late 1990s for hacking into the systems of global corporations such as IBM, Motorola, Nokia and Sun Microsystems, too many employees with access to important data believe that malicious attacks can’t happen to them.
“The people that think like this are the most vulnerable,” said Mitnick, who now advises the kind of corporations he used to hack on security issues. “They tend to trust and help others in order to project a positive organisational culture.”
He showed slides of an experiment on the streets of London, where passers-by were offered free theatre tickets or Marks & Spencer merchandise for taking part in what seemed to be an innocuous survey. Some participants revealed enough personal information - such as a pet’s name, mother’s maiden name or birthplace- to allow someone with bad intentions to impersonate them at a bank or the log-in screen of a bank’s website.
According to Mitnick, the first place a hacker will visit is an organisation’s web site to learn about the organisation, its leaders and staff. Then they will use this information to gain and exploit someone’s trust.
A common ploy is to call the help desk - because, after all, it’s their job to help - and act like an insider to get hold of a legitimate user’s account details and password. Prevention might involve staging an attack to sensitise staff to this kind of attack. “You have to demonstrate to your employees that they can be taken by social engineering,” Mitnick said.
A buzz about the money
HIMSS09 was not all about fear and loathing, despite the dismal economic conditions – and dismal weather - in which it took place. Indeed, many of the more than 27,000 people who packed the massive McCormick Place complex in Chicago were downright giddy with anticipation of an unprecedented windfall in healthcare IT.
“We can innovate today – using technology already in place – to deliver on many of the goals targeted by the new administration’s stimulus spend.”
Just six weeks before the event, the US government announced $19 billion (£13 billion) of funding for electronic health records and other healthcare technology as part of its $787 billion (£535 billion) economic stimulus package.
Exhibitors reported heavy traffic at their booths as a result. “Within 12 months from now, we expect most vendors to be backlogged 12 months or more [for new installations],” said Jack Smyth, president and chief executive of Spring Medical Systems, a Houston-based seller of electronic health record (EHR) and practice management software for physician offices.
HIMSS chief executive officer H Stephen Lieber cautioned that those who delay purchasing health IT are going to get shunted to the back of the vendor queue. “Were I sitting in a chief information officer’s seat, I would be working on this now,” he said.
Great technology on show
Companies attending the show were also keen to show how their technology could help hospitals and other healthcare providers start delivering on President Barack Obama’s spending pledges.
Microsoft, for example, was in Chicago to unveil the latest version of its Amalga hospital information aggregation platform, which now links up to its HealthVault personal health records platform.
It already has a major customer – New York Presbyterian Hospital – signed up to use the two technologies to make records, tests and other data available to patients through a portal called myNYP.org.
“The introduction of myNYP.org demonstrates that we can innovate today – using technology already in place – to deliver on many of the goals targeted by the new administration’s stimulus spend,” said Peter Neupert, corporate vice-president of Microsoft Health Solutions Group.
Microsoft also wowed visitors to HIMSS with its latest demonstration of surface computing – giant touch screens that allowed medical information to be displayed and manipulated without traditional computing paraphernalia.
Subhead: Now for the detail…
However, there is a conundrum for the US healthcare IT industry right now. The stimulus legislation requires providers to demonstrate “meaningful use” of technology in order to qualify for subsidies through either the Medicare programme for the elderly and disabled or the state-administered Medicaid programme for the indigent.
The law leaves it up to the US Department of Health and Human Services to define “meaningful use” by the end of 2009; and there currently is no head of that department.
President Barack Obama’s first choice for health secretary, former Senate majority leader Tom Daschle, withdrew his nomination after he under-reported income on tax returns, and other tax issues have delayed the confirmation process for the current nominee, Kansas governor Katherine Sebelius.
With this important point hanging, much of the talk around Chicago was what “meaningful use” should and will include. HIMSS is soliciting comments from the industry until the end of this week and then will put together a formal position paper by early May. Then the wrangling will begin.