Medical records hacked
4.5 million hospital records were hacked, apparently by a notorious Chinese hacking group. I've been concerned about the security of medical records for years – the issue has been obscured by the huge business breaches like Target, Nieman Marcus, and now Home Depot (Russian hacking teams, usually based in Odessa, Ukraine.)
There's a basic structural problem right now with IT security. There aren't enough security experts to go around, and businesses and institutions often have no clue what they're doing. To secure computer records and networks, especially those that have any link to the internet, requires a lot of expertise and constant up-to-date awareness of threats and types of attacks. Think about all the doctor's offices and hospitals you go to. The small practices in particular are not going to have a clue about IT security – yet they're going to have a lot of sensitive information about you. Psychologists, psychiatrists, drug rehab facilities, etc – they have very sensitive records, but I'd not expect them to do a good job of securing them. If they've got PCs with web access, which they will, and those PCs are on a network with PCs that have your records, there's your vector. (And it will often be the same PCs...)
I think it's best to assume our records are compromised. It's much easier to breach a medical practice than to breach Target. I think it's probably wise to extrapolate from all the breaches you hear about and assume there are a lot more. Security experts say this all the time.
This means you might want to think about what you disclose when you complete all the forms these various places require. It might be wise to just tell a doctor or other professional something you think might be important about your medical history instead of putting it down on a form (though it still might end up in your file because they take notes and so forth – ultimately our medical records are going to have to be populated with medical information.) And when you're visiting unrelated practitioners, you don't need to disclose everything about your medical history, even though the forms ask for it – for example, if you're seeing a physical therapist for a bad knee, maybe you don't need to document your colon cancer or drinking habits, even though their intake forms ask about that kind of stuff (the forms are often boilerplate – they're not necessarily designed for the needs of the practice that uses them.)
9/6/2014 03:10:21 pm
Well, I work in IT for one of the biggest research hospitals in the world, and the head of security speaks to us every once in a while. His point of view is pretty clear: It's not his job to stop hackers; that's impossible. It's not his job to protect patient data: hardly anyone wants it anyhow. His job is to make sure that our hospital doesn't have to pay heavy fines, or spend hundreds of thousands of dollars informing patients about data breaches. To do that, we have to conform with various responsibilities in the HIPAA laws that let us off the hook. I'll just give one example. If a laptop is stolen with patient data, we're in trouble, may get fined, and have to inform each patient. If the laptop is encrypted, we don't have to do anything. That is true _even if the password is taped to the outside of the laptop_. Etc.
9/7/2014 02:23:56 pm
Note that the records hacked in this case were patient identification information: birthdate, SSN, etc. Even though HIPAA also concerns medical data about the patients, I don't think hackers are interested in it; it doesn't seem to be worth anything.
9/8/2014 06:34:14 pm
Thanks for the elaborations Mike. Encryption solves a lot of problems (so long as password isn't attached to device.) So does biometrics -- increases the price of admission for hackers.
Leave a Reply.
José L. Duarte
Social Psychology, Scientific Validity, and Research Methods.