How Safe is your Personal Health Information?
By Wayne Caswell, Modern Health Talk
People worry about the security of their identity, financial and medical information when they hear stories of hacker attacks on large commercial and government websites, including AOL, Hotmail, Microsoft, MySpace, NASA, Sony, Stratfor, USBank, VeriSign, VISA, Xbox, Yahoo, and many others. They also worry when they read about Target, Google, Facebook, and Twitter pushing privacy boundaries and taking liberties with their collected customer data. Both types of stories dilute trust.
It doesn’t much help if a company that overreaches and gets caught simply promises to do better, and then if public outrage prompts potential legislation, they join industry initiatives to propose new plans for self-regulation, such as the publication of privacy policies that users seldom read.
This article addresses the question, “How Safe is your Personal Health Information?” It examines the benefits and security risks of storing your personal health information online, based on my own personal experiences and decades of IT experience. But I’d like to hear of your experiences in the comments section too.
Electronic versus Paper Records
While I learned about home security through personal experience as a victim, my perspectives of physical and data security of computer systems come from my 30-year career at IBM and as a consultant.
Paper Records
Let’s first look at paper records, because you fill out paperwork with the same information each time you visit a new doctor or clinic or lab or dentist or optometrist. Each office keeps the records they generated about you in those multicolored filing systems. Unless you take copies with you, visiting another office may require a repeat of tests at added cost.
A fire or windstorm can destroy any records in your doctor’s office, just as it can destroy records you keep at home in paper files or on a PC. But worse is the life or death risk of delays in accessing your medical records in an emergency.
Electronic Records
Thankfully, the ability to digitally record and transmit medical records electronically saves money and lives. Health information technology (health IT) lets us manage our health information, communicate electronically with health care providers, and improve the quality and coordination of care. I’m a strong advocate of health IT and believe that electronic records are safer when stored in cloud-based services, although that does pose a new set of security risks.
Some health IT tools are made for health care providers, while others are made for health consumers. Electronic Medical Records (EMRs) are used by your doctors and health care providers to keep track of your tests, treatments, care plans, and progress. Personal Health Records (PHRs) are for you to store information about your family’s medical history, emergency & medical contacts, insurance policies, prescriptions, allergies, appointments, etc. The US Surgeon General provides My Family Health Portrait, a free PHR that ties into Microsoft HealthVault and (soon) other PHR and EMR systems.
Federal Protections in HIPAA
HIPAA (The Health Insurance Portability and Accountability Act of 1996) already addresses the security and privacy of personal health information and establishes national standards for electronic health care transactions. HIPAA details can be found at http://www.hhs.gov/ocr/privacy/, but in general, HIPAA…
- defines patient rights with respect to their “individually identifiable health information,”
- provides federal protections, including administrative, physical and technical safeguards, to assure the confidentiality, integrity and availability of that information, and
- permits disclosure of that information when needed for patient care and other important purposes.
What’s There of Value?
You may place a high value on your health information, including test results, prescriptions, and doctor notes, especially if it’s needed in an emergency, and your doctor may also place a high value on it, but your health information likely has little value to others. It’s extremely unlikely that someone will hack into computer systems to steal your medical records.
The Risk is Identity Theft
This is likely the biggest exposure of services that store electronic medical records since identify thieves could have a hay day with credit card information, social security numbers, driver license numbers, phone numbers, addresses, and birthdays, especially if they can gather thousands or millions of records online. That’s why it’s important for companies to maintain electronic medical records separately from identity and financial information. Most experienced health IT companies understand and do this, but some may not, so ask.
Cloud Services
Cloud computing is a new buzz word derived from the cloud image often used to represent the Internet. The concept of using Internet and network-based services is driven largely by big corporate players like Amazon, AT&T, Google, IBM, and Microsoft, but it’s just another form of distributed computing. That means you don’t have to install and maintain the software and data on your own computer system but can rely on a trusted service for that. All you need is a web browser and access to the Internet. The key word here is “trust,” and any service you use must be trustworthy.
As consumers, we use some form of distributed computing every time we access the Internet – to make airline & hotel reservations, buy stocks, read & respond to news stories & blogs online, use Facebook or Twitter or email, share photos, watch videos on YouTube, etc. – and each time we give up some personal information in exchange for a benefit. We don’t think or care much about what’s going on out there in the cloud except that we want to reliably and securely do stuff and share stuff.
Cloud computing adds a new layer – services – to the Internet collection of data pipes, routers, servers and networks. Behind the services are companies we trust to manage the data and computing resources for us.
How Secure are Cloud Services?
When entering a credit card number to buy something online, do you look for the little “closed padlock” image at the bottom right of the browser to be sure that the data is encrypted? You should.
While some people in the IT industry have argued that moving data from internal systems to remote services removes control and has security risks, other IT experts say Cloud Computing saved those companies millions of dollars and is more secure than what they could have done internally.
Potential Disadvantages of Cloud Computing include:
- Too Much Control in the hands of Too Few. “As data consolidates, I have ‘Big Brother’ concerns.”
- Too Much Hype. “While I recognize the benefits, Cloud Computing is not a panacea that’s suitable for all applications. I wouldn’t trust it for managing IRS and Social Security systems.”
- Performance Concerns. “I worry that performance of a system shared by others will be slower.”
- Security Concerns. “Will a service provider protect my data & prevent unauthorized access better than I can?”
- Control of Passwords. “They let users control their own passwords without the stringent requirements we use here, such as changing passwords weekly.”
- Lost Jobs. “By outsourcing IT services, employee jobs may be at stake, including my own.”
Advantages of Cloud Computing include:
- Users Control Their Own Stuff. Your health records are private unless you grant access to others, and even then you often get to determine who can see or edit what.
- Team Collaboration. Health providers working in teams can edit the same document, individually or at the same time, and a history of prior versions is maintained. That’s far more secure than sending email with attachments.
- Improved Performance. Cloud datacenters use more sophisticated servers and network connections than most businesses can afford on their own, so performance can be better.
- Data Security. Most Cloud services have better physical and data security protections than most private datacenters. But there other factors to consider. Have you noticed how many stories have appeared about lost laptops alone? They can pose far greater security risks.
- User Controlled Security. Users can take security into their own hands and decide who gets to see or edit their health records. You can even be alerted via email if somebody logs into your account from a different IP address.
- Data Backup & Redundancy. Cloud services not only backup files regularly but often also replicate them onto servers in other cities so they can withstand regional disasters. By comparison, data stored on a home PC is at risk since the home could burn, flood, blow away, or be burglarized.
- Competition. Competitive bidding keeps prices low and helps ensure that services take security and performance seriously, because the economic damage from a security breech would extend far beyond the financials alone. The larger cost would be in the loss of confidence and brand value.
- Cost Savings. The savings are so significant because companies providing cloud services amortize costs over thousands or millions of clients. Physical site costs include replicated facilities, computer systems, wiring, ultra-fast Internet connections, air conditioning, fire protection, battery backups, and other redundancies. Operational costs include advanced network operations, backup and customer care, among others.
Highly-Secure Data Centers
Here’s an example of a highly-secure data center to give insight into what today’s modern Cloud Computing services offer. I was an IBM computer operator when I did a research paper on physical & data security and IBM’s data center in White Plains, NY. The 2-story “block house” had 4’-thick, reinforced concrete walls with no windows. It was built on springs with all utilities underground, and it was rated to withstand a direct-hit atomic blast in New York City. A double-door entry with badge reader, retinal scanner and a sensitive scale was near an armed guard. You had to weigh exactly the same coming out as going in, meaning that you couldn’t even remove a pencil that you didn’t go in with, and all restrooms were outside of the computer room. The computer systems were protected by Halon fire systems and huge banks of battery backups and generators. That was 40 years ago.
Lack of Imagination
Internal human factors and the lack of imagination are probably greater security threats than data security from hackers or physical security of datacenters. Some high-profile cases of hacking government systems involved simple phone calls to a “helpful” support person and convincing them to reset a password. But my favorite was the fired tape librarian employee who was given 2-weeks’ notice instead of being escorted out that day. His job was to send backup tapes to off-site storage and to repurpose out-of-date backups as “scratch” tapes for the computer room floor. Upset and fuming, this disgruntled employee had two weeks to instead send scratch tapes to offsite storage and remove the labels from master file backups and send them out as scratch tapes. By the time the company noticed that the master files were unreadable, there were no useful backups.
Email and Phishing
Before entering a password to sign-in to a secure website you might notice the icon of a little lock at the top or bottom of the page to indicate the data being transmitted is encrypted, but email in inherently insecure. The data, which might include user IDs, passwords, and attached files, is not encrypted, and there’s no easy way to prevent someone from forwarding your mail to others without your consent or knowledge.
The use of easy-to-guess passwords, including ones you might choose, can also be a security problem, but so can opening “phishing” emails from people you don’t know and then clicking on links inside. Soon after, you learn you’ve installed a virus or malware that uses your PC to spread to others or to log keystrokes so someone can discover your passwords remotely.
The reason I tell you this is that YOU may be a far greater security risk than the company storing your personal health records.
Unsecured Wireless Networks
If you installed a wireless network at home, do you realize that the default Wi-Fi installation has security encryption turned off? You should, and you should take steps to turn encryption on. But even that won’t make Wi-Fi security bullet-proof, as I describe in Comparing the wireless security of HomeRF and Wi-Fi, a white paper I wrote in 2001 about two competing wireless technologies.
A free software download allows you to drive around town with your notebook PC and notice all of the open Wi-Fi networks with no security encryption at all. Anyone parked outside (or a mile away with a directional antenna made from a Pringles can) can monitor your network traffic and capture your login IDs, passwords, and credit card information. So security of your health records might be the least of your concerns.
Even worse is that any home with an unsecured Wi-Fi network can be a national security threat, since terrorists are less likely to use their own network or a public library network to do bad things and are more likely to use YOUR network. Even if the NSA manages to notice threatening data traffic, they can only trace it back to your router and wireless access point – not to the guy in his car a mile away.
Even encrypted networks are not 100% secure, as students at the University of Maryland have shown with enough compute power and captured data. That again is why it’s a good practice to store personal health information separately from identity and finance information.
Conclusion
To fear the Internet and technology is to hide from innovation and progress. I think most security fears associated with Cloud Computing are exaggerated by the news media and unfounded for many reasons. Greater risks include things that YOU have control over, including giving a waitress your credit card and then not closely monitoring charges, allowing someone to look over your shoulder as you enter your PIN at the ATM, and not having your medical records available in an emergency.
I trust Cloud providers like AT&T, Google and IBM because they (1) understand the risks, (2) have the skills to minimize them, and (3) know that any breach could seriously damage their brand to the tune of billions of dollars. They provide Cloud services to major corporate clients who also trust that they can do a better job of protecting their data, because they can. Protecting that trust is why these data centers and networks do so much to secure the data, why they encrypt it as it’s both stored and transmitted, and why the data centers themselves are replicated.
The Basis of my Perspective
First, I don’t think you can make anything 100% secure. The cost and effort to protect it relates directly to the chances of compromise and the damage if it is. I learned that important lesson 35 years ago from a house burglary that occurred twice, exactly month apart. I also learned that the chances of a recurrence go up dramatically since the burglars now know how to get in and expect insurance to pay for new stuff. And I learned how to understand vulnerabilities, motives and skills.
I was a student by day and an IBM computer operator at night, and I came home one night to find glass on the front porch under the front door and the door unlocked. I called the police, and they dusted for prints but got nothing useful since cold winter weather makes hands and fingers dry.
It seemed like I must have surprised a small group of teenagers who escaped out the back, because of what was taken, and what was not. Among the items missing were several bottles of liquor, a suit, pair of old sneakers, and some cool silver & gold jewelry that I made in the army. They left behind a full carat diamond ring, possibly to avoid questions they couldn’t answer if they got caught.
Since they left in a hurry and I feared they might return, I asked the police how to better secure my home. I installed double-plunger deadbolt locks on the front & back doors that need a key to exit too. And I drove large screws into the windowsills so the windows would only open 6” for ventilation.
A month to the day I again found glass at the front door, but the door was still locked, so I unlocked it and went in to find that burglars had hit again. The back door was still locked too. The kitchen window was open, but just 6” – not enough to get in. Another window was open wider. They used a small crowbar to pry open the window and break the window lock, and then they banged the window up hard again & again until the screws bent upward enough so they could crawl in.
I would have loved to watch as I imagined the crime scene unfolded: Rip the stereo & speakers from the cabinet while leaving the wiring intact. Rush to the front door but realize they couldn’t escape there. Run to the back and find the same secure lock. Use the crowbar to unsuccessfully pry open both doors, leaving the door frames severely damaged. (Repairs required replacing half of the old wood & lath wall.) Dig through all of my drawers until they found a Phillips head screwdriver to remove the window frame screws, and exit through the window with their booty, at least the part that would fit through. My expensive racing bike wouldn’t.
That’s when I learned about motives and skills and how amateurs are easily scared off by the higher risk of homes with a security system. (Actually, I didn’t have to install an alarm, just added stickers on doors & windows saying I did.) Alarms, however, don’t deter professionals with skills learned from internships at alarm companies. They know how to circumvent them. That’s why I don’t trust home security monitoring services and would surely not have the same company to do the installation. I don’t want them knowing what type of protections I have installed.
I also learned that most security measures only keep honest people honest and are ineffective against a motivated and skilled criminal with harmful intent. So if I were a burglar and wanted to break in to a home with a security system, I won’t even bother with doors or windows. It’s easy enough to just go through the roof or walls. I’d pick homes without pets, however, because they probably don’t use motion or pressure sensors.
The understanding of motivations and skills helps you craft protections against dishonest people, and anything that decreases their profit and increases the risk of getting caught & prosecuted is often effective. So besides the alarm stickers, I also engraved my driver’s license number on high-value items and added Operation Identification stickers to say everything was registered with the police.
These lessons from home security can be applied to the security of online services and our nation’s critical infrastructure, but they don’t guard against disgruntled employees and human error. The disgruntled employee wants to inflict damage but is not worried about getting caught and may actually want you to know who it was. An example is when Annonymous claims responsibility for a hacking attack.
About Wayne Caswell, Founder & Senior Editor
As a technologist, futurist and marketer with IBM, Dell, Siemens and his own consulting firm, Wayne knows the positive effect digital technologies can have on society and the challenges of adopting them. He introduced IBM to the Digital Home market before retiring after 30 years when the company got out of consumer markets. After IBM, Wayne established CAZITech Consulting, held leadership roles in industry groups developing Wireless and Home Gateway standards, volunteered with the FCC Consumer Advisory Committee, successfully lobbied the Texas legislature to protect the rights of municipalities to install public Wi-Fi networks, co-founded a nonprofit consumer advocacy to enact new consumer protection laws and abolish an abusive state agency, and founded Modern Health Talk. Wayne can be reached by email or at 1-512-507-6011.
This is a splendid site, I had a good feel surfing through it and getting the information that I have to convey for my term paper. Great info over here.
As a physician/computer scientist, I wrote a recent article on this matter – Secure Personal Health Information.
My vote would be for increased transparency. The methods used to store our data should be published and publicly available, and we should be asking vendors these questions.
Related articles continue to appear in the news media. I’ll attempt to include the most important ones here.
The Obama administration today announced a consumer privacy “bill of rights” to give web users more control over how their personal information is collected and used online. It defines 7 principles to protect consumers’ digital privacy, including the right to opt out of having your web activity tracked and personal data collected. Here’s an article and video describing it.
Cliff,
Thanks for your very thoughtful reply. It causes me to reflect upon (1) my home burglary experience, (2) my years as an IBM Systems Engineer at large hospital accounts, (3) my understanding of Cloud Computing, and (4) the security issues as our nation wants to put more health information online through EMR & PHR systems.
I look at the security challenge as a continuum that balances the cost & effort to protect the data versus the chances of compromise and the potential economic damage. The likelihood of compromise (intentional or accidental) and the impact goes up with the volume of information stored online, and the security measures must scale accordingly.
A home burglar, for example, is unlikely to risk breaking into a modest home with an alarm system, but high-value contents can change the decision criteria. That same principle applies to health information that includes identity and financial data. The risk of compromise is low for a single patient but higher when thousands or millions or records can be accessed with the same effort and risk.
Ideally, going online would be with a whole new design, but your note is about the reality, and that’s a bit scary. I mentioned the need to separate health data from identity & financial data, but the danger you raise is that most hospitals don’t do that in their paper systems, so automating those systems makes more records accessible with the same effort, and this increases the risk. I expect that modern EMR systems do separate this information into different relational databases that can be programmatically “joined” together to appear as one, and this makes it more difficult for hackers to access. But scanning and storing paper records that also include identity and financial data is separate issue.
If the healthcare industry does not realize the risk and take proper steps to protect patient information, and if high-profile security breaches occur, then we can expect expensive federal mandates. So my advice to hospitals is that it will be far, far cheaper for them to make sure your electronic systems are secure now than to face the consequences later if they aren’t.
And my advice to consumers is to ask your doctor and hospital how their data is stored and make it clear that you’ll hold them accountable for any identity theft loss due to a security breach. Feel free to call or email me with any questions you may have.
Cliff responded by email, but his comments deserve posting, so here they are:
Really terrific point on your end as well. I like how you seamlessly bring all the pieces together and nail down the critical issues.
I think we both agree, that this is a monumental issue. It can not be underplayed. Identity theft is the crime of the times, and just as if you jump into shark infested waters your risk of getting attacked goes up exponentially, just as a move to electronic health records and linking it to an internet connection raises the risk.
I don’t know why, but I just have this suspicion deep down inside that this is just not currently being given the proper weight. We will see breaches, there will be brand damage and lawsuits, etc., etc. It will be part of the growing pains of moving to an electronic health model. Some will take the heat more than others, and the others will learn from those lessons. And yes, some patients will be victims. It’s about minimizing the risk, and the winners will be the hospital administrators that invest adequately in security for health records and make it an operating priority. Just as ATM debit card/credit card security has evolved (with the 3 digit code, customers picture on the card, activation codes, etc.), the security measures will evolve with healthcare records. It will be a game of how much investment in security is necessary to ward off X% of attacks. It’s going to be a numbers/statistics game and $$$ driving the statistical confidence levels.
All good points, Cliff. I just don’t want security fears to prevent the use of electronic records, because the benefits can be life saving. The trick, as you say, is raising the awareness and finding the right balance, even if some who didn’t do that are made examples of.
I work in a major regional hospital. I do not know if, how, where in our (HIS) system these numbers are linked with the patient’s SS#. But, given that all the other demographic information is there, it’s probably accessible to those with the proper authorities. For instance, Keane runs the show and if a social worker needs to get a patient into an acute care nursing home, they are probably going to need the patient’s SS# to get them in there for medicare/medicaid purposes. I could be wrong as I am not involved with these patients on the financial end. But, I don’t know of other systems that exist which would interface with Keane. It’s now raising a lot of questions in my mind.
One issue that bring patient data security to mind is cloud computing infrastructure. Our echo PACS (Philips’ Xcelera) is due for an upgrade. But, there are two options for the upgrade. We either have to purchase an updated/upgraded server for the PACS or move to a cloud computing infrastructure for Xcelera. We use Xcelera to both store images and the diagnostic reports to. After a certain period of time, those images and related report get archived to an off-site server. But, the move to the cloud of courses raises patient ID security issues and I actually sent our IT manager a whitepaper by Intel about security and cloud computing to address the issue.
I think hospitals are trying so hard just to keep out of the red and in many cases just trying to keep their doors open, that working on a universal/national patient ID or collaborating with such an initiative is not even a top 5 on their priority list. So, again I have not heard really anything substantial or groundbreaking from our administration with regards to patient identification. I do know more and more we are moving to an electronic health record and have more and more initiatives to move away from paper (this past year we implemented an emergency department information system), but this does not necessarily translate to a change in patient identification.
We, from the first orientation are lectured on the importance on protecting patient’s ID and records. But, given that they are moving more of those records to an electronic format (either scanning existing records into an imaging/records archive or for new images/records they are being generated, reported on/interpreted, saved, and archived all electronically. For instance, the cardiologist used to read all the 12 lead ECGs/EKGs from the print-out, but all that is now being done electronically from our cardioserver. So, if it’s all electronic records, then the level of security really resides with and lies on the IT person and vendor that lays out the security infrastructure/layers and it’s kind of out of the techs/doctors/nurses hands so long as they don’t post their log-in information on the internet. The biggest risk to patient’s identity, especially at a large facility probably IS from the inside versus the outside. I guess you just have to hope that your hospital has the right IT people who put the proper electronic security/software measures in-place and then keep up with changing threats/technologies. And that’s a challenge for hospitals, where the top IT people may not be attracted given the modest pay, compared with say financial institutions, stock brokerages, or online web storefronts.
I’m definitely not an expert on this particular issue. Thinking about this I now have more questions than answers and getting the real truth would probably require an interview with a top IT VP from a major hospital system. Sometimes you’ll get a published interview with this type of person in a magazine called “Network World.” There’s huge pressures for any hospital department to operate economically and IT is no exception especially since it’s not a revenue producing entity for the hospital. So this fact may give one some pause. But, at the same time the damage that an identity leak can have for a hospital can be significant, so that’s incentive to be aggressive about it. Also, perhaps other than stealing one’s identity, if someone does get access to another’s insurance information, it would be hard to utilize without the proper ID and getting cash directly out of that would be difficult, although they could potentially sell the information.
In the environment of a hospital that has moved to an electronic infrastructure, perhaps the answer to your question, “How Safe is your personal Health Information” the answer is as safe as the IT gatekeeper has made it.
-Cliff
The Surgeon General’s free PHR tool doesn’t save your data but lets you store it on your PC or in a Microsoft HealthVault account. Here’s what it says when you’re ready to save:
“To respect individual privacy concerns, this website does not save your family health history information. However, you can save your family health history to your own local storage area (such as your computer’s hard drive, a CD-ROM, or USB thumb drive). In addition, you can save to a third-party system such as Microsoft HealthVault (other third party systems will be added in the future). Some hospitals and doctors’ offices will be able to obtain this family health history information stored with a third party system, if you grant them permission, and directly incorporate your family health history into an electronic medical record.”
When I tested the system, I took the option to create a HealthVault account and store my records there. Rather than use my social security number, they used your email ID and a password and include optional security measures to prevent unauthorized access. Here’s an example: “For added account security, receive a confirmation phone call every time you log in to HealthVault.”