Trusted interoperability and the patient safety issues of parasitic health care software

Document Type

Conference Proceeding


secau Security Research Centre, Edith Cowan University, Perth, Western Australia


Faculty of Computing, Health and Science


School of Computer and Security Science / Security Research Centre (secAU)




This article was originally published as: McCauley, V.B., & Williams, P.A.H. (2011). Trusted interoperability and the patient safety issues of parasitic health care software. Paper presented at the 9th Australian Information Security Management Conference, Edith Cowan University, Perth Western Australia.


With the proliferation of software systems and products in the healthcare environment, it is increasingly common for such software products to be constructed in a modular design. However, for modular software to be securely interoperable with other software products requires agreed consistent and accountable interfaces. This agreement may take the form of bilateral vendor to vendor arrangements or via a trusted external third-party who coordinates agreed interaction methods, such as a jurisdiction. Standards are a particular form of mutually trusted third party. Unfortunately, this agreed method of interoperability is not always present in vendor software. Where one software product or module interacts with another, in the absence of any agreement, it is referred to as ―bolt-on‖. It is perhaps more descriptive to refer to such software in terms of its potential to cause harm and refer to it using the biological analogy of ―parasitic‖ software and associated ―host‖ software. Analogous to biological systems, parasitic software can operate by data injection into or data extraction from, the associated host database. Both forms of parasitic software exploit access mechanisms or security flaws in the host software independent of the host vendor and in ways not intended or supported by the host vendor. This paper discusses the mechanics of this security vulnerability and more importantly, the potential adverse consequences to patient safety of such susceptibilities. As Australia moves to a national connected e-health system these issues are causes for grave concern. This paper provides a case study of this insecurity to highlight the problem, promote discussion and encourage potential change.