The trouble with electronic records
In the summer of 2010, a physician working for Columbia University took his personal laptop to work at New York Presbyterian Hospital.
His decision would cost the two entities almost $5 million.
By accessing the server, the physician, who was not named in federal documents, inadvertently allowed thousands of patient records to be exposed online.
The hospital agreed to pay $3.3 million and Columbia $1.5 million, the most expensive settlement of its kind ever.
Never before has so much personal medical information been online or been so easily transferrable. Medical information travels over networks, is stored on mobile devices and moves between insurers, hospitals, nursing homes and third-party providers in ways that would have seemed unimaginable two decades ago.
For the most part, that’s good. It allows doctors to know patients’ histories and search for patterns, making it easier to diagnose conditions and reduce unnecessary tests.
But it has also led to a rash of data breaches that are occurring with ever-greater frequency.
As a society, we have become used to a certain amount of personal information being exposed online, which is why there are mere tremors, instead of quakes, when Target announces that 40 million customer accounts were hacked.
But medical information can be particularly sensitive. Aside from possible identity theft, there are terminated pregnancies, S.T.D. tests, domestic violence reports and mental health issues that people won’t necessarily want to share with the employers or friends or spouses. It’s the kind of personal information most people wouldn’t want to see turn up in a Google search, which is exactly what happened after the data-leak from New York Presbyterian and Columbia Medical Center, which was discovered only after the hospital received a complaint from someone who found their deceased partner’s information online.
“Because more and more information is becoming electronic, there is a greater risk of breach of loss of that information,” said Ken Rashbaum, an attorney with Barton L.L.P., who specializes in cases related to the federal Health Insurance Portability and Accountability Act (HIPAA), and advises hospitals and health systems on how to remain in compliance with state and federal privacy laws.
Medical identity theft is on the rise in part because credit card companies have gotten so good at cracking down on theft. Thieves who steal a credit card number often get to make only one purchase, if that, before the company is alerted to usual activity and cancels the card.
“There has to be a new place for fraud to happen,” said Pam Dixon, executive director of the nonprofit World Privacy Forum based in San Diego, “and the health care sector is the chosen place because the billing system is antiquated.”
The numbers are staggering. The Centers for Medicare and Medicaid Services tracks nearly 300,000 compromised Medicare-beneficiary numbers. The Office for Civil Rights received more than 77,000 complaints regarding breaches of health information privacy and completed more than 27,000 investigations, which have resulted in more than 18,000 corrective actions.
During the last three years, the U.S. Departments of Health and Human Services has recorded 18 breaches in New York compromising more than 100,000 patient records (though 97,000 came in one breach), including some of the most respected names in the industry such as Memorial Sloan Kettering, North Shore-L.I.J. and Mount Sinai.
“Some of the largest breaches have come from medical centers with stellar clinical reputations,” Rashbaum said. “Stanford, Johns Hopkins. There have been several others around the country that have had data breaches of one kind or another. There is no correlation between the egregiousness of the breach and the clinical quality of the institution.”
Most of the breaches reported result from accidents—a doctor leaves a laptop in the back of a taxi or misplaces an iPhone.
Take the recent example of a breach at N.Y.U. Langone Medical Center. In April, a hospital employee was traveling in California when a laptop with unencrypted patient information was stolen from the car. About 500 patients’ records may have been compromised.
The good news in these cases is most thieves are after the hardware and don’t know or don’t care what information is on the laptop, mobile phone or tablet they steal. N.Y.U. offered identity theft protection for 12 months to the affected patients.
The great benefit of electronic health records—the fact that they are so much more accessible and less limiting than the old paper charts tucked away in doctors’ filing cabinets—is also what makes them challenging to secure, and vulnerable to theft.
Personally identifying information is now “on file” in myriad places, as radiology, lab work and insurance data is all entered into different systems that talk to one another.
That means there are plenty of employees with legitimate access to personal data who can steal that information and sell it on the black market.
In April, the Queens district attorney charged two admitting clerks at Jamaica Hospital with inappropriately accessing computer records of 250 patients, each containing a Social Security number, date of birth, address, telephone number and details regarding injuries and treatment received in the emergency room.
There have been much bigger theft cases than that elsewhere. In Florida, in 2012, an emergency-room worker and two other conspirators pleaded guilty to accessing electronic records of 763,000 patients.
Still, nearly every hospital in the country has rules and procedures in place to try and keep lost data to a minimum, and when rogue employees steal personal information for illicit gain, the damage they can inflict is usually relatively small and easy to trace.
A larger concern involves potential large-scale attacks on a system from the outside.
“One of the big risks that has grown exponentially is incidences of medical identity theft,” Dixon said. “Hackers are targeting health care centers. They are real honey pots for data.”
International organized-crime syndicates, anarchist hackers and garden-variety thieves are targeting this data with increasing frequency, which threatens the average patient in multiple ways.
One aspect of this threat is financial: It can mean stolen money and damaged credit ratings.
But unlike any other type of identity theft, the illicit use of health care data can have medical consequences.
If someone steals your credit card and goes to Lowe’s, you might end up getting circulars for the rest of your life. When someone steals your medical identity and falsely bills an insurance company for an insulin pump, your insurer might conclude that you are diabetic. If a medical record is altered, whether by a doctor or a hacker, those alterations can follow a patient forever, providing subsequent doctors with incorrect medical information that could alter a diagnosis.
Some of the nation’s biggest and best systems are scrambling to address their vulnerability to major assaults on their data.
The hacker group Anonymous threatened to attack Boston Children’s Hospital—because it disagreed with the hospital’s handling of a child custody case—just a few weeks before the medical center’s website was subjected to numerous cyber assaults, according to the Boston Globe reported. The April attacks rendered much of the hospital’s internet technology useless. Emails couldn’t be sent, patients couldn’t check to see the status of their appointments, doctors couldn’t check lab results.
And that series of incidents stands to be dwarfed by an attack earlier this year on Community Health Systems Inc., in which, according to a report in Reuters, the data including patient names and addresses of about 4.5 million people was stolen by hackers. Community Health is one of the largest hospital operators in the country, with more than 200 hospitals in 29 states.
George Hickman, executive vice president and chief information officer at Albany Medical Center, said his institution has a sensitive firewall for its email that blocks about 90 percent of all inbound emails as email threats are that prolific.
But he said he still sees six or seven phishing attacks make it through the firewall each week, and is constantly working with staff to ensure they don’t click on something they shouldn’t. “Beyond a host a technical and administrative security measures, I.T. security is all about awareness and human behavior,” he said.
And it’s not just hospitals. Governments at the local, state and federal level are more involved than ever in health care and store records in their own databases, putting the information at further risk.
In 2012, the Utah Department of Technology Services’ computer server, which stores Medicaid and CHIP claims data, was hacked, exposing 280,000 Social Security numbers and compromised less sensitive personal information such as names, addresses and birth dates of an estimated 500,000 others.
And the future of such data invasions could be even more sinister, if the invader is somehow motivated to tamper rather than just to steal.
According to a Wired report published in April, Scott Erven, founder and president of SecMedic, “found drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”
Experts say it’s just a matter of time before a massive breach occurs that affects millions of records occurs.
Government entities at the federal and state level are aware of the danger.
The inspector general’s office of the federal Department of Health and Human Services has warned that more attention needs to be paid to the growing threat to electronic health records, relative to the amount of energy the government and hospitals have spent pushing for the speedy adoption and use of those records.
“In the Department’s efforts to promote EHR adoption, it focused largely on developing criteria, defining meaningful use, and administering incentive payments,” an inspector general’s report said. “It has given less attention to the risks EHRs may pose to program integrity. Certain features, such as cut-and-paste and auto-fill templates may be used to mask true authorship of the medical record and distort information to inflate health care claims.”
Last week, Marsha Blackburn, vice chairman of the Energy and Commerce Committee, said security and testing of personal health information must be in place.
The occurrence of cyberattacks is very real," she said. "The federal government needs to ensure that the right security and testing are in place — particularly when it comes to large scale health care projects."
The New York State health department, meanwhile, is currently drafting regulations to protect personal information on SHIN-NY (pronounced shiny), a network that shares patient data across the state.
These regulations, which are expected to be released sometime in the next several weeks, will go even beyond what HIPAA requires, said David Whitlinger, executive director of the New York eHealth Collaborative, the nonprofit entity responsible for overseeing SHIN-NY.
“You are looking at an increasing awareness by the provider community, and (increasing) penalties for being stupid,” he said. “HIPAA is now being taught in medical schools and propagated through medical societies in a comprehensive way.”
Hickman, from Albany Medical Center, said that in addition to the tighter regulations, there are also a significant number of smart, unaffiliated “good guy” organizations looking at internet security and letting health care industry players know when they see any vulnerabilities.
He mentioned as an example the Center for Internet Security, a nonprofit located just outside Albany which is working to create security benchmarks for manufacturers of implantable medical devices, starting with insulin infusion pump technologies.
Rick Comeau, the center’s vice president for security controls and automation, said that whether it’s his organization or the Department of Homeland Security or others, more information than ever about threats is being shared across sectors and industries in the service of alerting hospitals to a possibility of an attack.
Their work, he said, will never be done.
“That’s the thing about cybersecurity,” Comeau said. “Security is not a destination, it’s a journey.”
This article appeared in the September edition of Capital magazine.