February 28, 2014

EHR's May Not Be As Private As Hoped

Over last few weeks, I have been reading more than I normally do unless it is a book. This time it is the website for Joe Flower, a healthcare speaker. He holds himself out as a healthcare futurist, but he knows his topic, what he is talking about, and writing about. He does not write for patients, but patients can learn from his writing.

I talked with a hospital CEO recently and mentioned his name. I was asked how I knew him and I said from his writing. At that point, I was tuned out and totally ignored.  I suspect he did not want conversation about computer security or how it would look when the hospital's computer system becomes compromised.

I did not need to ask the one question I had wanted to ask because I know that the patient electronic health records are not encrypted, but I did want to ask why they were not encrypted.

Joe Flower wrote a blog on the health care blog.com where he warns CEOs (chief executive officer) and COOs (chief operations officer) to start listening to the information technology (IT) people and have some serious meetings with them. He explains why and puts together a great argument as to why this is important.

In November, Target had their systems compromised and then other retailers discovered their systems had been compromised in similar ways. He tells CEOs and COOs not to say they had just passed a security audit as Target had just passed a security audit, just before they discovered the break-in to their servers, credit card machines, and cash registers. The security audit failed to find the malware installed through out the system.

How could this happen? The attackers have gotten more sophisticated, and they used new techniques of entry. The attackers in the biggest heist in the company's history entered through the thermostat. Yes, through the most unlikely of targets, a simple thermostat.

Most did not suspect that the heating, ventilation, and air conditioning (HVAC) systems would be vulnerable to this sort of attack. To understand what happened - most brick and mortar stores have complicated HVAC systems. Hospitals have even more complicated HVAC systems. The security leak happens because most stores and hospitals outsource the management of their HVAC systems to outside contractors. This contractor monitors and controls the HVAC over the internet. How? Because all sensors, thermostats, switches, control valves, and other controls are hooked to the store's and hospital's servers. The contractor is given password-controlled access to the store's central computer system.

When you think about hospitals, they have probably more hooked to the central computer system and they are also hooked to the internet. Most companies and hospitals are not aware that these outside contractors have very poor security and often use the same password across multiple customers.

Once these outside contractors have been hacked, they have access to many brick and mortar stores and hospitals. This in turn makes it easy for the hackers to gain access to any information they want.
Other writers are urging system encryption against people that might penetrate the firewall. I know that many say businesses and hospitals say they can't afford encryption, but the cost of being hacked, may open more than a few checkbooks.
With the Affordable Care Act and the ongoing interchange of data, especially between insurers and providers, enormous amounts of personal data, from address and credit card information, to medical health including embarrassing private health information may become available to hackers.

Consider this appearing on hacking forums: “We can get you the medical records of anyone — any celebrity, wealthy person, or blackmail target.” Yes, this will happen because they have hacked into the nets of information that flow between payers and hospitals, and hospitals and clinics. I can just imagine you seeing a headline in the local paper that says the local hospital or clinic has had a data breach. Will the hospital or clinic have an exodus of patients? I would not want to bet against this.

No comments: