There are interesting parallels between the electric power grid and medical facilities when it comes to cyber threats. Until recently, few cared about whether the electrical grid was exposed to computer attack. The devices which enable the grid to deliver power to our homes used to be mechanical or electro-mechanical devices that operated automatically in isolation from each other or had to be physically switched by a technician in the field. They didn’t communicate with each other to coordinate their actions, nor did they engage in two-way conversations with a distant control center. If they did, they tended to use proprietary operating systems used only for industrial control systems and nothing else. They didn’t use commodity operating systems or networking appliances that were also used in home and office computers.
However, the Smart Grid and its automatic, coordinated controls and high-speed communication systems have changed the situation significantly. Power grid devices now work together to increase the efficiency and reliability of how the grid delivers power to our homes and businesses. To realize these gains as quickly and as inexpensively as possible, many of the new generation of tools borrow software and hardware from computing systems used in the personal and business computing spaces. Otherwise, the lead time associated with creating entirely new communication protocols and operating systems would be make the Smart Grid push impractical. The promised advances in efficiency, reliability, and environmental stewardship, combined with pressures to realize these gains quickly and at low cost, have made the cyber threat a clear and present danger to the grid.
We are now seeing exactly the same scenario play out in health care. Health Care IT has received a lot of attention and funding over the past few years. It is considered an area of huge economic growth, and career prospects look outstanding. The outlook is rosy because the inefficiency of the current system is so obvious to patients who end up having to describe their symptoms to four different people in the span of a single visit and who find themselves in the uncomfortable position of questioning the doctor’s every move because he or she has nearly made serious mistakes in the past based on grossly incorrect data. There are also strong economic pressures to avoid over-prescribing expensive medicine, treatments, and tests, and so different medical facilities must coordinate with each other to avoid waste.
For economic efficiency and patient safety, the health care industry has increasingly adopted computer technology. This was a long overdue step. However, this rollout closely resembles what is happening with the grid. The new systems employ commodity hardware, applications, and operating systems communicating through commercially popular network appliances and industry-standard communications protocols. Health care companies also are embracing the cloud to a great extent to store and exchange massive quantities of patient health and payment data. These decisions have been made to drive down costs and speed up deployment. However, the negative consequences are the same in health care as they are with the power grid: the industry has opened itself up to crippling cyber attacks.
That is why it is encouraging to see that the National Science Foundation is funding new research into health care IT security. Specifically, computer scientists and electrical engineers with the University of Illinois’ Information Trust Institute are collaborating with researchers at Dartmouth and the University of Michigan to study how to build trust in health care information systems.
I used to work as a Visiting Research Scientist with some of the researchers on a very similar project at U of I called Trustworthy Cyber Infrastructure for the Power Grid (TCIPG). It is encouraging to see these same experts now adapting their findings from the power grid to another vital national infrastructure. I am confident our health systems will be safer as a result.