This Wednesday, I'll be testifying in a
U.S. House hearing to examine options to combat health care waste, fraud and abuse. This service has rustled up memories of my time as a tech gopher at Holland Community Hospital in the 1990s when the hospital deployed second-factor authentication tokens for clinicians (i.e., 2nd factor = something you have rather than something you know). One of my tasks was to write software to quickly and effectively detect incorrect entries in the hospital's voluminous general ledger. Medical billing records. So exciting. I remember replacing lost "authentication keys" for nurses and physicians who would visit my tiny time-shared desk next to machine room for the soon-to-be-retired VAXen, line printer, and reel-to-reel backup. At the time, the authentication keys were literally shaped as plastic keys. Each clinical computer had a key reader connected via serial port. Clinicians would insert and twist the key in order to access the clinical computing systems. Removing the key resulted in automatic log out. I am told that the system lives on today in some form nearly 17 years later.
What's changed across the nation in terms of health care cybersecurity since the 1990s? Malware spreads by USB sticks and IP networks rather than 3.5" disks. Medical devices depend much more on networks and software. There are now so many layers of software dependencies, it's hard to even inventory what's in the
trusted computing base.
I still have the wooden shoe presented to the staff who helped "go live" with this clinical computing system in Holland. Stored on a shelf right above my
IHTFP propeller hat.