Two incidents reported yesterday in two different hospitals highlight the risk in automation of health care processes and the criticality of information security.
In one of the incidents, a virus left three hospitals in disarray and cancellation of all routine operations and outpatient appointments. (Read the Story Here)
The Virus infection affected two hospitals namely the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG). Due to use of some shared services, a third hospital United Lincolnshire Hospitals NHS Trust (ULHT) also had to cancel operations.
Hopefully this is more like a “Denial of Medical Services” and unless some of the cancelled operations were time critical, the damage may be contained with some inconvenience.
But the incident highlights how a normal information security incident gets into “life Threatening” mode in a health care scenario making Information security that much more of a critical care issue.
There was another incident which is also of concern which indicates how some times human intervention should always be at standby when we use automation in health care.
This incident (See Report here) occured during a robotic surgery when a laser beam being used in surgery caught fire at Tokyo Medical University Hospital. The cause of the fire was unfortunately farting (passing of gas) by the woman during the surgery. The gas being inflammable was ignited by the laser beam and caused severe burns in the 30 year old women undergoing ovarian surgery.
This fire incident may not directly be called an “Information Security Incident” but it must be recognized that the robotic surgery was not equipped to stop the laser beam instantly when the surrounding environment changed due to an unforeseen incident.
The incident is similar to the automatic brake system of a Google car failing when a crash is imminent. It must be attributed to the failure of the safety system in the automation of the health care process.
This could eventually be considered as “Negligence” of the “System” and the company manufacturing the equipment and the user (hospital) may be held negligent as an “Intermediary” and have to bear the liabilities.
When HDPSA is drafted, it will incorporate certain aspects of the “Telemedicine Act” which was once contemplated in India and abandoned which had elaborate provisions for the medical equipment manufacturers to be registered and monitored.