Small Office, Big Software and eHealth Problems

Sunday, November 28, 2010

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

I recently spent some time thinking about small business - specifically medical practices.  Working for a company like Hewlett Packard I have the luxury of having some of the largest customers in the world in literally every vertical as my customers... but what about those smaller SMB-sized companies? 

How does software security assurance (SSA) apply to them? How do they apply principles that I wax philosophically about here to their daily activities to decrease risk and avoid being victims?

Well, I still don't have all the answers, but I did find something that I think you need to know if you're operating a non-enterprise business... more specifically a small to medium sized medical practice.

If you're running an SMB (small to medium sized business) you more than likely have a very tight budget and are very deliberate and frugal about how you spend on technology. 

Technology really has to enable something game-changing or cash-producing to enact a purchase.  With that in mind, it's no surprise that a lot of open source software packages have found their way into SMBs.

I'm not saying that open source software has more issues than commercial, closed-source code... but I don't think I'll find anyone to argue against that it's more difficult to find corporate-level accountability with open-source software especially if you're a business.  So... why does this make a difference? 

Let's just say I've managed to review some of those packages and can tell you for a fact that you can drive a Mack truck through every single one I've evaluated. There's a good, long, list of some of them on the Wikipedia here. 

Obviously to protect those who are using these platforms I'm not about to tell you which ones are "hole-y" and how bad... but the situation is dire.

See, the problem is this: If you're a small business you don't have the cash to spend on a professional, well-designed eHealth or eMed platform... therefore when you use one of these poorly written open source platforms you probably won't be testing the security of what you're implementing. 

As a result of this - you're putting your practice and your patients in huge risk! This leads to an unfortunate downward death-risk-spiral, which there may be no return from if you're in a state which prosecutes and punishes for medical data breaches.

So you're stuck between the proverbial rock and a hard place right?  You can't afford commercial apps which at least come with the luxury of risk transference -and you can't afford to do the right thing and see for yourself... or can you?

I'd like to urge you to take a look at your practice and if you're using an eHealth or eMedical platform that you're not 100% sure is reasonably secure - send me a note.

I don't often blatantly advertise "Come talk to us" but your patients are depending on you to do the right thing and keep their privacy and security in mind. 

It's not just about being cost-conscious because cost can and often will come back and bite you on the back end when you cut corners with security.

Go test your eHealth applications before you get a "free" test from someone who won't likely share the results, and will keep the data.

Cross-posted from Follow the White Rabbit

Possibly Related Articles:
5956
Webappsec->General
Software Web Application Security Small Business Healthcare SSA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.