Crucial security features are to be installed on a problematic multimillion-dollar software that’s exposed hundreds of thousands of patient data for the University Hospital of the West Indies (UHWI) to potential abuse.
A Sunday Gleaner investigation uncovered serious safety issues with the web-based Hospital Information Management Systems (HIMS) after weeks of observation, which included users being warned against entering sensitive information because the connection was not secure.
In a statement responding to the revelations, the hospital said it is now working with Advanced Integrated Systems (AIS), which is implementing the project, to fix the issue.
“This will involve the installation of a Secure Sockets Layer (SSL) Certificate on the HIMS server at AIS,” noted the statement issued by the UHWI.
“Security is an ongoing exercise, and the hospital is fully focused on the constant assessment of the environment, aimed at strengthening our threat-management programme & practices to identify, eliminate or mitigate cybersecurity and other risks,” it added.
SSL is a digital certificate that authenticates a website’s identity and assures of data integrity. SSL has evolved into Transport Layer Security (TLS), which appears as a padlock icon in web browsers when a secure connection is established.
The Douglas Halsall-led AIS has been implementing the project, which is four years past its delivery date. It has racked up more than $500m in expenses.
USERS HAD NO CHOICE
Last month, AIS said the HIMS website address was private and not accessible over the Internet, and that the ‘not secure’ prompt users got when trying to log in was not an indication of a problem or vulnerability with the website.
“It is essentially a network configuration matter for the UHWI,” said Shekar Sanumpudi, director of health applications, adding that users were logging in through HTTP (not secure) connections instead of HTTPS (secure).
However, that view was challenged by tech expert Trevor Forrest, who argued that users had no choice in determining how they connect.
“It is the server that you’re connecting to that dictates whether the connection is secure or not,” said Forrest, the CEO of 876 Technology Solutions, a company specialising in website design, cloud hosting, and document management.
Forrest said the claim that an application on a private network reduces the risk of compromise was a “common misconception” among businesses.
“Your value is in the fact that you might have a big client that you have access to, whose data is valuable. Hackers won’t hack the secure thing, they’ll hack the insecure,” said the cybersecurity expert.
The HIMS project to digitise the UHWI’s systems has been a major source of concern because of its drawn-out implementation while gobbling up money from the struggling Mona Campus of The University of the West Indies (UWI).
The UWI signed the contract in 2015 for the implementation of the Indian software by April 2017. The contract procurement is now under review.
After The Sunday Gleaner brought the issue to light in June, UWI Vice-Chancellor Sir Hilary Beckles ordered a deeper audit, while Professor Archibald McDonald, who signed the contract when he was Mona principal, said the agreement should be renegotiated.