Health sector's Achilles heel: Security leaks

An industry insider warns that the much-hyped effort to digitize medical records is being compromised by theft of personal data, putting patients -- and investors -- at risk.

By TheStreet Staff Mar 26, 2013 10:42AM

thestreet logoHeath care professional using tablet computer (© John Lamb/Digital Vision/Getty Images)By Jonathan Blum, TheStreet


Greg Porter has this frightening diagnosis for e-health care investors: The digital diseases of piracy and commodification of information that have debilitated the music, publishing and financial services industries have infected their field as well.


"The theft of protected, personal health information has never been higher," he said.

Porter is no quack. He's the founder of Allegheny Digital, an information security company in Pittsburgh and an adjunct faculty member at Carnegie Mellon University, where he pioneered the curriculum on information security in the health care industry. 


"I'm trying to let anyone within earshot know about this," he said. The trouble is, few in the industry appear to be listening.


A stunning 21 million health care records have been compromised since the fall of 2009, when the U.S. Department of Health and Human Services began keeping track. The agency goes as far as to post these breaches on an agency website "Wall of Shame." Last year, the Utah Department of Health alone inadvertently exposed some 780,000 patient records.


"You almost become numb to it after a while," he said. "You wonder, 'Does it matter? Does the public care?'"


A healthy health care market? 

Investors need not bother with med school to learn that health care in the United States has belligerently resisted the digital age. Most experts I spoke say it's roughly a decade behind the leading edge of the information age.


But like it or not, health care is going digital. The sector is undergoing a shock-treatment regimen of federal mandates such as the Patient Protection and Affordable Care Act and stimulus enticements from the American Recovery and Reinvestment Act.


And investors and blue chip companies are rushing to cash in. 


Behemoths such as Dublin, Ohio-based Cardinal Health (CAH) have been pushing electronic health care solutions with consulting services for small practices. New York-based start-up ZocDoc claims 2.5 million users -- and's (AMZN) Jeff Bezos as an investor.

Just last week, Boston-based QPID, an electronic medical records search tool to help doctors screen patients, announced it had raised $4 million from Boston-based Partners Innovation Fund and Matrix Partners.


Chamath Palihapitiya, a general partner with The Social+Capital Partnership and a former senior executive at Facebook (FB), told me flatly that e-health care is one of just four of the venture fund's major investment areas.


"There is so much opportunity to bring more rational health care choices to consumers," he told me over the phone.


The patient is not well 

While investors may see nothing but the healthy glow of profits here, even a cursory tour of e-health care with Porter as a guide shows that protecting this wave of digital information is going to be like curing the Spanish Flu.


"We're just seeing the tip of the iceberg in terms of breaches," Porter says.


Porter says that even the basics of information security -- stupid stuff such as unique passwords, simple file protection and basic malware software -- are flatly beyond the e-health care industry. Most health care records are essentially unprotected commodities for criminals, he says, who use them to get free medical services and trade in prescription drugs.


"This is not sophisticated to obtain. It took me less than 30 minutes of research and I was trading information with people willing to buy and send me samples," is how he described the process of obtaining valuable health care identities. It's a process that will only get easier as e-health records get more prevalent.


What's the price of a stolen soul working out to? Not much. Porter estimates the street value of an individual e-health care record has collapsed to just $20. 


"Imagine if that was your information being traded on the open market," he said. "It's infuriating and inexcusable."


The prognosis: Not so good  

The bitter pill health care investors must swallow tastes like this: The market in digital health care information turns out to be awfully similar to any other digital market, with shrinkage, theft and piracy just the sad facts of life.


That means, friends, that just like in the music industry -- where 65% of content is obtained for free, according to the Recording Industry Association of America -- similar amounts of e-health care records will be similarly stolen. Investors, therefore, need to hedge the risk that margins on delivering health care data will shrink along similar lines of music, publishing and financial services.


Investors should plan on margin-killing free and freemium Web businesses to grind parts of e-health care market into dust. Go look: WebMD and are already well along morphing into no-margin, free, ad-supported -- not to mention profit-challenged -- e-health care riffs just like music and content services such as Grooveshark and And government e-health portals similar to in the financial planning and accounting realms will take their bite.


Sure, as in music and publishing, the live performance and event elements will hold value. Surgeons, nurses and ambulance drivers will still get paid. But the so-called massive market in the virtualization and trafficking in health care data that is driving this current wave of investor speculation will almost certainly suffer the same maladies as the rest of the Information Age.


Like any e-business, e-health care will struggle to be healthy.


More from

Mar 26, 2013 1:14PM

I have worked on EMR projects and the biggest thief will be the US government who wants to know everything about you.


Be afraid.  Be very afraid.

Apr 4, 2013 9:19AM

Keeping medical records in folders stored a file rooms belongs in the 50s. Your whole life is one big digital record and it's time the medical profession joined the rest of us in the 21st century


An acquaintance of mine bought the contents of a storage locker used by a medical group whose "grand plan" failed. It contained, among other things, several boxes of patient records. And yes, he returned them to the doctors.


I'd rather have my medical records sitting on a firewalled server, rather than in some file cabinet in a doctor's office. If you bank or trade stocks online or with a smartphone, I don't see why you are concerned about medical records going digital. Any system can be hacked, but as the saying goes, it is what it is.

Please help us to maintain a healthy and vibrant community by reporting any illegal or inappropriate behavior. If you believe a message violates theCode of Conductplease use this form to notify the moderators. They will investigate your report and take appropriate action. If necessary, they report all illegal activity to the proper authorities.
100 character limit
Are you sure you want to delete this comment?


Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.


Start investing in technology companies with help from financial writers and experts who know the industry best. Learn what to look for in a technology company to make the right investment decisions.





Quotes delayed at least 15 min