Experts concerned that vital systems may be disabled
Information security experts have warned that the rapidly increasing use of information technology in hospitals and healthcare facilities in Thailand is leaving vital systems vulnerable to computer virus attack.
Hospitals, in particular, have been advised to develop a new group of security professionals to safeguard healthcare information-technology systems upon which lives may depend.
The source of malignant software can be any one of the numerous medical devices linked to vulnerable hospital systems, according to Prinya Hom-anek, president of information-security firm ACIS Professional Centre.
He said hospitals should support the development of new IT-security experts specialising in healthcare systems. These specialists could monitor risks to hospital information systems and IT infrastructure.
"Healthcare information is very important for patients because it is very private information. If a medical device is infected with a computer virus it can even represent a risk to patients' lives. Therefore, hospitals should create awareness of the threat, to protect against affects to healthcare databases and consider the high danger of infected computers or medical devices being linked to their networks," Prinya said.
He said that to solve the problem, hospitals should develop their IT infrastructure to reach ISO 27799 standard. This is an information-security standard developed by the International Organisation for Standardisation. Its title is "Health Informatics - Information Security Management in Health using ISO/IEC 27002".
Prinya said the purpose of ISO 27799 was to provide guidance to health organisations and other holders of personal-health information on how to protect this information by implementing ISO/IEC 27002, a standard for information security.
Hospitals whose IT infrastructures have achieved ISO 27799 will benefit from increased confidence from patients. Reaching this standard will also reduce the risk of losing information and patient privacy, suffering from human error and coping with the impact of such an event on the hospital's reputation, he said.
"Hospital executives regard IT security as an increased cost to the hospital. But they should realise that enhanced IT security will protect patients' privacy and increase productivity in terms of patient treatment, which will help a private hospital to create a competitive advantage. And they should be creating awareness of this fact," Prinya said.
He said the government had developed a final draft to revisions of laws related to e-transactions, to support the security of healthcare information and the security of information belonging to government organisations. Revised laws for e-transactions are expected to be announced before the end of this year, he said.
Thai Medical Informatics Association committee member Sutee Tuvirat said the government and hospitals should develop a new class of IT-security professional to protect healthcare information held by government agencies, hospitals and the healthcare infrastructure. This new human resource would develop an ability for early detection and prevention of vulnerability to virus infections in the country's healthcare IT systems as well as an ability to restore information in healthcare databases.
"Hospitals should develop healthcare-information security professionals to manage critical IT risks. Hospitals should also assess risks in three areas: hospital information systems, medical devices and building automation systems. This will create confidence, enhance public safety and reduce the present gap in risk management," Sutee said.