10/18/2012 8:15 PM ET|
For ransom: Your medical records
With digital information so vulnerable to hackers, the need for greater security is growing. Case in point: One medical practice's data breach.
It started out as a data breach like many others. The hackers penetrated the computer network of a small medical practice in a wealthy suburb of northern Illinois, the Surgeons of Lake County, and broke into a server containing email and electronic medical records. But instead of sneaking out undetected and selling the stolen data on the black market, they took a novel tack -- encrypting the data and posting a message demanding a ransom payment in exchange for the password.
The move from fraud to extortion in cases of data compromise is frightening for several reasons. First, it suggests that the criminals knew exactly what they were doing, and that they deliberately targeted digital medical records as part of a well-planned strategy -- an approach that we can expect to see employed more frequently as the digitization of records and broadening of access become the norm in the health care industry. Secondly, this M.O. implies a tremendous confidence in the criminals' power to disrupt -- and a calculation that the illicit return on investment from blackmail would exceed the price that the data would command on the black market.
All of this is ultimately made possible by the digitization of medical records and the placement of those records on networks, often unprotected ones. It gets you thinking: Would you post your medical records to your Facebook profile? Share a CAT scan via Instagram? Discuss your prescription history with your network on LinkedIn?
Not likely. Even if every single one of your Facebook "friends" really is a friend, the idea of such personal information falling into the hands of strangers is hard to stomach -- especially if those strangers happen to be criminals looking to make a quick killing and you are the roadkill.
But what if the server where that information is living belongs not to Facebook or LinkedIn but to a health information exchange -- a computer network designed to put your medical information and that of millions of other patients within easy reach of medical professionals throughout our nation's health care network?
The truth is that it may be there already, whether you know it or not. At least 255 health information exchanges exist across the United States so far, including 17 each in New York and Texas, 12 in Florida and 10 each in California and Michigan, and that number is increasing at a steady clip. Their growth has been spurred partly by federal grants awarded to incentivize medical professionals to participate in and promote the ongoing makeover of the health care system, and partly by the obvious efficiencies inherent in such a centralized and frictionless approach.
In a perfect world, this would not be a problem, and could be a solution. Tremendous benefits can be derived from having a patient's medical data available to practitioners throughout the health care network -- from general practitioners and pharmacists to surgeons, radiologists, lab technicians and emergency response teams. To have current, accurate and reliable data about a patient's medical history just a click away -- whether the matter is urgent or routine -- will save money, time and, of greatest import, lives.
If you doubt that last assertion, consider this: It has been estimated that a million and a half people are hospitalized annually in the United States due to adverse reactions to wrongly prescribed and overprescribed medications, and some 100,000 die each year from adverse reactions to wrongly prescribed drugs. How many of those deaths and hospitalizations might have been avoided by having an accurate patient record close at hand? When you reflect on the full range of medical errors that take place each year due to missing or inaccurate patient data -- from unnecessary surgeries to under-the-radar cancers -- the value is clear.
Then again, in a perfect world, a shopkeeper could stock the shelves, post the prices and leave for the day -- secure in the knowledge that people are honest and will pay for whatever they take.
This is not a perfect world. And that is why some people find health information exchanges so scary.
Unfortunately, not everyone follows the core precept of medical ethics first stated by the Roman physician Galen: "First, do no harm." Indeed, our society has learned the hard way that where there's a weakness, there's a weasel waiting to exploit it. And a database brimming with sensitive data is exploitation waiting to happen.
We all know that digitized health records have long been a target for identity thieves, and the list of major data breaches involving hospitals and other health care facilities is a long one. In fact, as Bloomberg reported recently, medical providers suffer more breaches than any other type of organization, with an astonishing 690 data breaches involving 23 million records since 2005. One recent glaring example is the University of Texas MD Anderson Cancer Center in Houston, which has had three data breaches involving patient information because of a lost thumb drive and a couple of stolen laptops.
The Surgeons of Lake County scenario is frightening, in part because it can be (and has been) applied far beyond the world of medical records -- in the private sector, certainly, but also in government. Imagine a wave of database kidnappings-by-encryption that target not just health information exchanges and other medical practices but also banks, insurance companies, government agencies and even military facilities. Clearly, such a scenario must be avoided, even if that requires significant changes in the way we store, transmit, use and protect sensitive digital information.
Even within the realm of health care, however, we are seeing early signs of a potential catastrophe, one that will be difficult to avoid precisely because the case for digitizing and centralizing medical information is so strong at every other level. The digitization of medical records may make a whole lot of folks queasy, but it is also smart and efficient, offering a huge opportunity to save both money and lives. It is, in fact, inevitable. Unfortunately, so are data breaches and the identity compromises that will follow.
We need to be deadly serious here, because we're not talking just money anymore. Lives are literally at stake. Up to now, the federal government has taken a hands-off position with respect to the workings of health information exchanges, leaving it up to the states to determine how patients' data will be treated and whether they will even be told their information is being shared or are given the choice to opt out. Even when patients are brought into the loop, they must balance the privacy advantages of opting out against the medical risks of being outside the system -- and thus losing the advantages of more rapid and accurate diagnosis and treatment.
No patient should have to make such a life-or-death choice. As our society moves toward digitization and sharing of a wide range of extremely sensitive data, it is essential that we find approaches to information security that rest on a solid foundation, enabling technological and social advances while protecting both individuals' privacy and our institutions' security. Wishful thinking won't cut it. Neither will complacency. If digital information is the bedrock on which our society now rests, we have some serious work to do. If we don't do it, there's a shaky, scary future ahead.
So far, all we think we know about the Lake County incident is that no ransom was paid, the server has been shut off, the police are involved, the patients have been notified, and credit monitoring has been offered to those who face exposure in one form or another. We don't know if the hackers made copies of the files before they encrypted them and have already sold them on the black market, if the server was backed up, and/or if the data was destroyed. Anyone clever enough to pull this off is smart enough not to begin using the data for a while anyway. We don't know if other businesses in the area were hacked as well.
What we do know is that this isn't the first hacking-for-ransom incident, nor will it be the last.
I support digitization, provided the prime directive is security and not simply convenience. I, for one, do not feel a whole lot of comfort walking into my doctors' offices and seeing a wall of open filing cabinets filled with patient files ripe for the plucking by an opportunistic passer-by, an unscrupulous employee or an unwelcome nighttime visitor. Do you?
More from Credit.com:
MORE ON MSN MONEY
VIDEO ON MSN MONEY
Being in the healthcare industry, I do not support EMR and EHR because of the mistakes that can be made because we always assume the computer is right. With identity theft and the theft of insurance cards, erroneous information can be and does make it into medical records. What happens if the wrong blood type is entered? You can kill a patient. I've known of patients that have gone to the pharmacy to pick up their eletronically submitted prescriptions only to find the wrong prescriptions were transmitted or mixed up electonically. Because the patient didn't have the handwritten prescriptions it was difficult to filter through all the information to discern the correct prescriptions.
I suspect that just as many people will die with EMR and EHR as without. I also am not in favor of aggregating ANY information. It is too easy to attack and manipulate.
If the medical practice in question used passwords, encription technology to secure the data and backed up their data EVERY night, I would tell the hackers to go screw themselves and reset EVERY password on the system using multi-digit, alpha-numeric-special characters and then immediately call the FBI. This is computer terrorism, plain and simple.
i would like the Medical profession stopped with giving out my medical information to Govt. agencies such as DMV, etc, when you think your Medical information is protected by Dr patient privacy, but find out they can give it to any Federal State agency. Without the common courtesy of a heads up even.
Data breach of reciprocal character on a rotary retrospective basis to multi horology and multi image frame graph extent have caused and are causing gaps in the freedom of information ACT. To see a medical representitive and issue your private information coming to the point of a malpractice junction counter your intake process process your portfolio to the realms of flaming you geographical continuity via including the harms and woes of under debt efforts of index slander and intentional capping skills of misfeasance accounting to de conceal privacy as a malmunicipal is as it appears a drastic professional encounter calamity and a drastic public affairs calamity. The positives of professional medical travesty being used are the wrost states of crisis. As noted in past, progressional, and modern media it gets costly to field the opportunity of medical tenure, use the opportunity of medical tenure, and ruin the opportunties of medical tenures` endeavor to multiplex, and with the aggressions of relativity (i am private) be of the process of medical opportunity humanity.
addict like them,or they realize they messed up and try to cover-up,OR the politicians need a new VICTIM for their "secret club" where they rape,mutilate,and eat,their victim.Fairfax hospital in Virginia,Gettysburg and York in Pennsylvania practice all these "procedures".And could quite frankly care less about a patients "medical"history ,or drug interactions.They care only about how much torture,mutilations and pain they can get away with and still get themselves drugs,and show a huge profit!!!!!!!!!!!!1
Copyright © 2013 Microsoft. All rights reserved.
Quotes are real-time for NASDAQ, NYSE and AMEX. See delay times for other exchanges.
Fundamental company data and historical chart data provided by Thomson Reuters (click for restrictions). Real-time quotes provided by BATS Exchange. Real-time index quotes and delayed quotes supplied by Interactive Data Real-Time Services. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by SIX Financial Information.
Children from lower income families are at greater risk of suffering accidental injuries and being sickened by food, according to a Consumer Federation of America study.