Thursday, April 04, 2013

Just A Reminder That Security Of Health Information Is Not Guaranteed!

The following appeared from Wired a little while ago.

World’s Health Data Patiently Awaits Inevitable Hack

Eugene Vasserman is uneasy about his digital pedometer. The company that makes the thing doesn’t know his name, age, or gender, but it does track his every step and his location. “They know where I sleep. They know my address,” says the Kansas State University cybersecurity and privacy researcher.
Some might think he’s paranoid. But he hasn’t stopped using the device. It’s just that he sees the worst-case scenario — and he’s adamant that the rest of us should see it too. Once health data leaves your immediate possession, he explains, it’s out of your control.
“I’m aware of the tradeoff I’m making … [but] I don’t think people understand what they’re giving up by putting this data out there,” he says. “The direct repercussions are not quite clear because the definition of cloud — excuse the pun — is very nebulous.”
What we do know is that security breaches surrounding healthcare information have been on the rise, according to the Ponemon Institute. And according to the The Washington Post, there are “gaping security holes” in many of the systems that hold our healthcare data.
As more and more health data is hoisted onto the so-called cloud — for research, medical, and, yes, recreational purposes — these vulnerabilities will only expand. Geneticists and bioinformaticians are using the Amazon cloud to crunch through petabytes of genetic data. Electronic medical records are a key part of the Affordable Care Act, and they’ll be the norm in the not-so-distant future. Consumers have jumped on the health “gamification” bandwagon and are sharing their health information with a wealth of companies, many times unaware that their data could be sold to third parties or whether these companies have the proper security measures in place to safeguard their health information.
“Most people see a service, and they just assume it’s safe and secure and they use it,” said Avi Rubin, the director of the Health and Medical Security Lab at Johns Hopkins University. “There seems to be, I believe, a bias when people get hold of a product to trust it and to think that it’s okay until proven otherwise instead of the other way around.”
But as the recent chain of hack attacks at companies like Apple, Twitter, Facebook, Dropbox and most recently Evernote suggest, that may be the wrong assumption to make. “Any system that consists in large part of software is hackable,” Rubin warns. At some point, someone will hack a major repository of healthcare data. And it won’t be pretty.
Lots more here:
All I can do is agree that it is only a matter of time. The stories that are told later in this article a quite concerning - to say the least.


Anonymous said...

Yes, patient and sensitive information is going to be an issue for many Australian healthcare professionals and providers into the future.

With the beefed up Privacy Act Amendments and discussions about mandatory breach notification laws awaiting passage, healthcare professionals will have to re-assess their exposure to cyber threats and risks, or not only face regulatory penalties but potential class actions from patients for remediation services like credit file monitoring.

This equates based on market estimates at around $200 per record. The math is simple 1,000 patients x $200 = $200,000

This alone can not only damage brand reputation but potentially put GP’s and practices out of business.

It is time for people in health to start to take notice about good data security and governance, but also put plans in place, and review existing systems and policies.

Otherwise if neglected face the penalties, just like the GP practice on the Gold Coast for lax policies (i.e. backup once a year).

- Privacy Paul

Bernard Robertson-Dunn said...

IMHO, all these security and privacy matters should have been anticipated and an appropriate approach to eHealth that addressed the problems that centralising health information creates been developed.

AFAIK, this has not happened, primarily because eHealth is seen as an IT system, not a disruptive technology that will have a major impact of health information.

To repeat: the PCEHR has been treated as an IT system, not a health information system. And you can't easily fix something when the fundamentals are wrong.

Anonymous said...

Makes you question what happened to the team behind NEHTA's Information Security publications, they seemed to be making some headway but nothing for well over a year, bar some fact sheets.
Is it possible they exposed questions no one was willing to acknowledge and thus quietly pushed out so as to leave things hidden?

Bernard Robertson-Dunn said...

Maybe they realised that information privacy and security is not the same at IT security.

If they didn't/haven't, then they really should.