Have you ever told your doctor something private that you wouldn’t want your family, friends and neighbors or even a tabloid paper to know?
Have you ever received a medical test result that you wouldn’t want shared with your employer? Your spouse or children?
What would you do if someone threatened to make public all your healthcare information—your medications, diseases, operations, doctors names and types, everything—unless you paid them a huge sum of money?
Recent attacks demonstrate that your most private healthcare information is seriously at risk. And, absent major changes, the risks will grow exponentially.
Last month, hackers attempted to extort $10 million after breaking into a Virginia State web site used by pharmacists to track prescription drug abuse. The records of more than 8 million patients were deleted and a ransom note was put on the Virginia Prescription Monitoring Program’s homepage, demanding $10 million dollars in exchange for the return of the records.
The ransom note claims that that information was stolen and encrypted. A popular website published the ransom note that replaced the program’s homepage, which read:
“I have your (expletive)! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”
The Director of Virginia’s Department of Health Profession has confirmed that state and federal criminal investigations were underway.
At almost the same time, The University of California at Berkeley disclosed that hackers had broken into their health-services database. The University began sending out notification letters to current and former students. The hackers had access to, and may have taken, health insurance information and medical information. The breach in the server took place from October 9th, 2008 until April 9th this year, when administrators discovered messages left behind by foreign hackers.
These are not the first instances where cybercriminals have stolen the private health care information of Americans. Last December, Lawanda Jackson pleaded guilty to violating federal privacy laws by selling private medical data from celebrities, including Britney Spears, Farah Fawcett and Maria Shriver (wife of California Governor Arnold Schwarzenegger), to the National Enquirer tabloid. Last October, cybercriminals attacked Express Scripts, one of America’s largest processors of pharmacy prescriptions, threatening to release personal information of millions of Americans unless their demands were met. There is an ongoing investigation into the Express Scripts incident.
These recent attacks provide cause for real concern among cybersecurity experts and healthcare professionals alike. Inadequate cybersecurity systems put our most personal data at risk.
What is more disturbing is that the problem is likely to get exponentially worse—unless drastic changes are made. President Obama’s healthcare plan is heavily focused on the use of electronic health records to help modernize our nation’s health care system. The recent stimulus package provides $19 billion for the next two years for the use of health information technology and President Obama has pledged an additional $50 billion total over the next five years. The benefits of “e-Health” are substantial and this is a policy direction our nation should be taking.
However, absent vastly more effective cybersecurity measures, the implementation of e-Health will significantly increase the risks for all Americans. Putting more and more highly personal healthcare information is placed on insecure networks is, in effect, a stimulus package—for cybercriminals.
The prospect of having your personal health history made public is frightening. A stolen credit card can be replaced and most if not all the unauthorized charges removed. But an Individual can be embarrassed, blackmailed, fired, or lose their insurance. “Farrah’s Story,” the television documentary that shows actress Farrah Fawcett’s struggle with cancer is an enormously cautionary tale in this respect. In the midst of struggling with a deadly form of cancer, Fawcett faced a series of tabloid news stories about her condition. On her own she traced the leaks back to the UCLA Medical Center, where she was receiving treatment. After Fawcett confronted UCLA, an investigation revealed that Lawanda Jackson, a hospital administrative worker, was providing the National Enquirer with private information in exchange for thousands of dollars in payments. Jackson had used her administrative password to access the information. Along with Fawcett’s files, she had pried into the records of at least 60 other individuals.
Obviously, the risks here are greatest to public figures, like celebrities, stars and pro athletes. However, consider what might happen if a hacker gained access to the records of the president, vice president or Cabinet member. Likewise, a hacker could create enormous market problems by releasing the records of a corporate leader. We have all seen the impact of the uncertainties surrounding Steve Jobs’ health. What if a hacker released data showing that Bill Gates’ was on deaths door, or that Ben Bernake was suffering from dementia, or that Eric Schmidt might have Alzheimer’s (note in advance, we have no information to suggest that any of these conditions may be the case).
Moreover, e-Health data vulnerabilities literally could cost lives:
- Imagine what happens if critical data isn’t available to an emergency room doctor treating a patient because a criminal has taken the e-Health system down just like the hackers took the Virginia records down.
- Imagine what happens if information about an allergy is deleted, or a blood type is changed. (The typical victim won’t receive a monthly statement to check. )
Fortunately, new technologies offer us the ability to implement e-Health securely. These technologies are NIAP-NSA certified against the most sophisticated threats. The NSA-NIAP system utilizes Evaluation Assurance Levels in conjunction with the Common Criteria security profiles to grade both the security of systems and indicate the level of confidence in that grade. These levels range from EAL1 (minimal security) to EAL 7 (highly secure). However, most of the IT systems that our healthcare system now relies on have been certified up to EAL4+ and only for inadvertent, nonhostile and unsophisticated attacks. The best systems today, such as the Integrity Global Security operating platform and the Tenix Interactive Link Device, are certified at EAL 6 and above levels against even the most sophisticated attacks, including by insiders with the source code. These systems can make e-Health secure.
However, these systems are not yet deployed within healthcare, notwithstanding HIPAA’s information security requirements. So, while we could all be secure in our healthcare data, instead we find millions of people have just had their most personal information compromised.
Any e-Health system, whether at the national level or the single corporation level, must be built solely upon the best available, most secure technologies. Such technologies must be certified by the government—read the NSA-NIAP—against protection profiles that specifically address hostile, intentional and sophisticated attacks and at confidence levels of no less than 6. Such technologies exist, there is no reason they should not be required for information as sensitive as the private health care information of Americans.
Moreover, such protections must extend to every device that is capable of accessing such data. A November 2008 study of mobile device (e.g., laptops and PDA’s) use by of over 1,000 healthcare professionals found that 93 percent of the devices were at risk. The study found that 49 percent of the healthcare professionals surveyed downloaded sensitive patient data on their devices. The study further found that over 71 percent of respondents protected their devices and sensitive data with just a single password. Additionally, at least 13 percent of these healthcare professionals had lost one or more devices containing such sensitive information. Moreover, with the shift to e-Health we can expect that such data will increasingly be pushed out to healthcare professionals via laptops, netbooks and smart devices. In fact, the ability to quickly put data literally in the hands of physicians is one of the key benefits of an e-Health infrastructure. However, protecting the core of the e-Health system will be of marginal value if this data is vulnerable on all these devices.
Beyond the technological, any move to e-Health must be accompanied by a range of protections to ensure the privacy of data and the protection of individuals and families, which might include:
- A national e-Health data integrity oversight office charged with ensuring healthcare IT systems are sufficiently secure and are utilizing best available protections and investigating allegations of data breaches or data misuse.
- Statutory protections making clear that victims of health data breaches can recover for all damages of e-Health violations, including loss of employment, loss of insurance, harm to reputation, and other similar harms.
- A trust fund, which could be paid for through healthcare corporation user fees, that would be available to make whole victim’s of e-Health data breaches.
- A monitoring and reporting system that requires under penalty of law any breach of health data be reported both to the appropriate federal state and local authorities, as well as to any potentially impacted individuals.
- Statutory protections against insurers using unauthorized data to suspend, terminate, raise premiums or otherwise impose negative terms or conditions on a person who has suffered a breach of their medical data.
- Statutory protections against employers using unauthorized data to suspend, terminate or otherwise impose negative terms or conditions on a person who has suffered a breach of their medical data.
- Enhanced, granular and highly specific patient consent protections.
- Statutory limitations and/or protections on the use of e-Health data for associated research purposes, including specific protections to prevent access to services from being conditioned on acquiescence to the use of data for research purposes.
- Statutory limitations and/or protections on the use of e-Health data for commercial purposes, including specific protections to prevent access to services from being conditioned on acquiescence to the use of data for commercial purposes.
- Procedures to enable individuals to both access their data and to compel the removal of inaccurate or extraneous information from their e-records in an expeditious fashion and without the need for costly legal or administrative assistance.
- Background check and clearance procedures for those individuals who have administrator-level access to e-Health data.
- Statutory requirements that any e-Health participating entity have in place policies and procedures to govern the use of its systems; use of any and all e-Health data held or accessed, procedures in the event of a breach; conduct disciplinary and other remedial actions in the event of the intentional or unintentional violation of such procedures; and establishment and authorities of an internal e-Health patient/consumer ombudsman.
- Statutory requirements that no e-Health data may be shared or otherwise provided to any entity that does not meet the requisite best available technology requirement and all other applicable policy and procedural requirements.
Before we implement a e-Health record system, the Administration and the Congress need to promulgate baseline standards that require such systems be built upon the right individual protections and utilizing only the most secure available technologies.
The privacy, personal information, and the lives, of millions of Americans depend on it.