Hacked medical records markets in everything

For some time now I have had mixed feelings about the move to electronic medical records, here is another reason why:

On the dark web, medical records draw a far higher price than credit cards. Hackers are well aware that it’s simple enough to cancel a credit card, but to change a social security number is no easy feat. Banks have taken some major steps to crack down on identity theft. But hospitals, which have only transitioned en masse from paper-based to digital systems in the past decade, have far fewer security protections in place.

…These records can sell for as much as (the bitcoin equivalent) of $60 apiece, whereas social security numbers are a mere $15. Stolen credit cards sell for just $1 to $3. During the tour, we spotted one hacker who claimed to have a treasure trove of just shy of 1 million full health records up for grabs.

As IBM’s Kuhn explained in a follow-up interview, these medical records can be leveraged for a wide variety of nefarious purposes. In some cases, it’s about stealing a person’s identity and billing them for a surgery or a prescription, and in others it’s about opening a new line of credit. Security researcher Avi Rubin told Fast Company in an recent interview that he suspects hacked medical records are often routinely used for blackmail and extortion.

Such hacking is indeed a trend:

More than 113 million medical records were hacked in 2015 alone, according to data compiled by the Health and Human Services. A newly released report from the Institute for Critical Infrastructure Technology, a cybersecurity think tank, found that some 47% of Americans have had their medical record hacked in the past 12 months.

That is from Christina Farr.

Comments

It's a big problem. I worry about it. I think way too many medical employees have access to record data. As a result, phish just one of them and you're in. In addition the data may not be encrypted most of the time.

I think this digitization effort sounded good, but has been somewhat of a boondoggle. Can we see higher productivity , actual savings from all this, more convenience ?. I hear from a doctor friend that systems are not really interoperable between hospitals

Electronic medical records have important, concrete benefits.

1) The ability to systematically analyse performance and outcomes. If you want the quality of healthcare to improve, you have to be able to measure what is happening. For example, a hospital needs to measure who is showing up at the emergency department at different times, with what problems, in order to manage workload. Or they need to know the outcomes on a particular surgical procedure, to assess if it is being done effectively. And so on. You can't do this effectively if all the records are on paper.

2) Use for management of patients. How does a primary care provider check that all their patients with diabetes have had an appointment this year to make sure the disease is being managed appropriately, for example?

3) Quick access to relevant information. If you go to the doctor, do they have to flip through dozens of pages to find out your medical history, or is it available instantly on screen, allowing them to search for information they care about?

4) Sharing records between care providers. If you go to the hospital, ideally you want them to be able to access your entire health history, know what prescriptions you are on, etc. This is not happening if your records are on paper.

In the 21st century, storing important information on paper is just plain stupid in any field, and health care is no exception. Electronic records enable information to be available when and where it is need, as well as systematically analyzed. There are significant, legitimate concerns about electronic health care records in terms of security, usability, etc. But these are problems that will be overcome, and electronic medical records really, really, really need to happen.

This. Other benefits include checking for drug interactions. Many patients are on multiple medications from multiple providers. EMRs are also helpful for enforcing care guidelines, which is one (but not the only) reason they are unpopular with providers. While I do not have a cite at hand, I believe the empirical evidence is that care guidelines overall improve outcomes.

Your points are correct. Unfortunately implementation has been very poor.

@Dan Nice to hear feel good evangelization about digitization and technology in the 21 st century mandated by big government.
It seems to me the free market would have taken care of it.

http://nypost.com/2015/10/23/team-obamas-electronic-medical-records-mandate-is-a-disaster/

Here it says EMR increase cost for Medicare.

http://www.nytimes.com/2012/09/22/business/medicare-billing-rises-at-hospitals-with-electronic-records.html?pagewanted=all

"free market would have taken care of it"

The free market did take care of it. Hospitals have long had EMRs. It's interoperability with other providers where the headaches emerge.

That notion gives way too much credit to medical records generally. The modern medical system is entirely useless. Even if it weren't:
1. The staff is perfectly well aware of their own workload. It is also possible to track the information specified anonymously - just say x people showed up between 10PM and 10:30 and be done with it.
2. Patients are responsible for their own welfare and know if they've seen a doctor or not. A GP busybody might not like that a diabetic ignores their condition, but they can't do anything about it.
3. If you have dozens of pages of medical history, no information system in the world is going to help you overcome the fact that you live in a society so inefficient and useless as to generate dozens of pages of paperwork in what is clearly an abject failure to even pretend to heal the patient.
4. If I were in a hospital, ideally I would want them to know nothing since I value privacy. That said, EMRs won't help, since all providers use completely incompatible formats, hate each other so much they wouldn't exchange the records if they did use the format, and wouldn't trust the records if they were exchanged.
EMRs are completely insecure and unusable, and there is no reason to think these challenges will be addressed during our lifetime because there is no incentive to do so. That said, paper records are just as bad.

Greater economic liability for data breaches would increase the incentive for health care providers to do more to protect patient records.

Maybe, they would pass the increased cost of compliance on to their patients, however. In my opinion, the problem here is with the credit providers that dont take care to make sure they are not getting defrauded. Make them eat the cost when the issue a credit card to someone who isnt who they claim to be.

Don't the credit providers already tend to lose money when it turns out they've extended credit to an identity thief? It would probably make sense to force them to cover any cleanup costs borne by the victim of the theft (giving credit to anyone who can fill out an online credit form and answer a few personal questions is a policy that lets them do more business), but I suspect this won't have a lot of impact on their behavior--they're already pricing in some level of fraud.

Given that 1/2 of all citizens are known to have major leaks... and it's probably more... it's time to practice defense in depth: force better authentication on transactions, and fine the party is is guilty of not performing good enough verification. And the other part of the defense is to unlink employment from health insurance, so that people with pre-existing conditions are not afraid to move jobs. (I hear that's better under ACA, but not fixed). And finally, increase the penalties for blackmail due to medical records significantly.

As for the value of electronic medical records - experience across multiple other industries suggests that the operational efficiency problems are teething problems that will go away (both because of improved software, and less cultural resistance to workflow transformation over time). The security issue will probably be harder, but if you can drive down the value of stolen records, then the attraction will fall away

"And the other part of the defense is to unlink employment from health insurance, so that people with pre-existing conditions are not afraid to move jobs."

This problem was effectively fixed with HIPAA which was passed in the 1990s. If you received a job offer that came with group health coverage, it was and still is illegal for the insurer to deny coverage for pre-existing conditions or to impose a higher premium on you. PPACA expands this protection to people who can't or prefer not to get jobs that come with group coverage.

The problem with EHR's today is that they are designed for the benefit of institutions [hospitals, HMO's] who pay for them and articulate requirements.

Not physicians.

Analogous to the 1st wave of so called 'sales force automation' in the '90's-not designed for the Willy Lomans of the world, rather, the VP's of Sales in Fortune 100 co's.

Not 'just' teething problems.

As you say, the 1st wave. But then, actual progress. I don't know why it's going to be different. The time frame might be, but it will pass.

Why would a health provider not benefit from its employees having effective systems that meet their needs? If a doctor makes a mistake because they didn't see important information, it harms the hospital. If the doctor can see fewer patients because the clunky IT system takes forever to use, it harms the HMO. And so on.

I think the main problem with EHR systems is simply poor design, rather than the wrong requirements. It is hard to design complex software systems well, and also there are particular bureaucratic and regulatory issues in health care that hamper the process.

Doctors have a lot of pull inside hospitals, at least compared to every other employee. If the EHR system is clunky, the hospital network will feel pressure to fix it.

I assume the blackmail wouldn't be "pay up or I'll tell your future insurance company about that cancer scare ten years ago," but rather "pay up or I'll tell your wife about that HIV scare ten years ago."

Big data has a bright future, doesn't it?

Yes.

As noted here - 'The collaboration would have 23andMe generate genome sequencing data for about 3,000 of its customers for Genentech, which the latter will use to identify new therapeutic treatments for individuals with Parkinson's disease.

"23andMe helps individuals with debilitating disease participate in research and make advances happen faster," said Anne Wojcicki, 23andMe CEO. "I am thrilled about this partnership and believe this can help accelerate meaningful discoveries for Parkinson's patients."

Sources close to the deal said that Genentech, the U.S. arm of Swiss pharmaceutical giant Roche, will pay as much as $60 million for it to access the data of about 3,000 patients with Parkinson's disease in 23andMe's database. 23andMe is reportedly receiving an upfront payment of $10 million, with the company set to earn as much as $50 million in further milestones.' http://www.techtimes.com/articles/25237/20150108/23andme-to-sell-dna-data-of-parkinsons-customers-to-genentech-for-60-million.htm

3000 sequences, 60 million dollars - yep, a bright, bright future in the only way that matters - increased profit for those able to collect the data to sell.

Which, when you get down to it, really shouldn't be all that hard, actually - how many Parkinson's patients would willingly donate their DNA to Genentech for only 1% of what the company is paying to 23andMe - that is, how many Parkinson's patients could Genentech afford to pay 200 dollars to? For sheer fun, let us say that the entire process - paying the patients, sequencing/collating the data - costs 1000 dollars. That would mean that Genentech could have a database with 60,000 people in it to perform their special magic in terms of developing a drug treatment, with the primary goal undoubtedly being the assurance that it will be massively profitable. That it helps Parkinson's patients beyond the legal minimum required for regulatory approval is at best a secondary, if not tertiary, corporate concern. F. Hoffmann-La Roche AG is a business, and a very profitable one, as noted here - 'Roche is one of the few companies increasing their dividend every year, for 2013 as the 27th consecutive year.' https://en.wikipedia.org/wiki/Hoffmann-La_Roche

Genetic sequences are going to be used to better understand and treat Parkinson's disease? What a great example of the failure of big data!

But god damnit, someone's making a profit on it! How dare they make money while curing a disease.

I bet you wouldn't mind so much if you had Parkinson’s.

"F. Hoffmann-La Roche AG is a business, and a very profitable one, as noted here"
Impossible, I am regularly informed that the Germanic culture - nay, the very Germanic soul! - ensures that companies are not concerned with such twaddles as profits and returns to shareholders. This is a Teutonic calumny of the first degree.

"3000 sequences, 60 million dollars – yep, a bright, bright future in the only way that matters – increased profit"

then...

"how many Parkinson’s patients would willingly donate their DNA to Genentech for only 1% of what the company is paying to 23andMe "

So which is it? Companies are a) greedy bastards (23andme) or b) spendthrift idiots (Genentech) that want to give their money to other companies.

The problem are not hacked medical records but the policies that made the SSN so important and vulnerable. It started as a database to track earnings and contributions to social security and today it is used for getting a private loan. The security failure may have started when the banks started using it.

It's like using 123456 as password for all web services and then act surprised after a hack.

Wait a minute, according to federal law SSN isn't supposed to be used for identification purposes.

It used to say "not for identification" on the card, but that was removed many years ago. Use of SSN for identification has never been against federal law.

There's something wrong when the SSN is needed to get a credit card. It seems the problem originated when the IRS thought is was "so easy" to use the SSN for tax purposes.

If credit bureaus stop using the SSN as the unique identifier in their databases, they would need another ID number also issued by a government authority of some sort.

Maybe I'm missing something here but why do the credit bureaus need to tie the credit staus to some goverment id? For that matter, why would they need it to provide a line of credit or a loan?

All they really need for the latter is some mechanism to authenticate the applicant is who they claim and can be found where they say they are located -- and have the resources they claim as backing the colateral, if any, standing behind the credit provided. A lot of this could come from various thrid parties. The only problem then is the idea that one can easilyt cross reference but I'm not at all sure that is something the government, and especially the federal government, should be providing.

People can and do change their names and addresses. A lender needs a system that lenders share in common and where previous loans and repayment history are reported in a manner that is tied to a borrower's identity. So each individual needs to be assigned a unique ID number that serves as the primary key in the database and that every lender and credit bureau agrees to use. Why delegate such an important function to a third-party monopoly when government can do it with much less hassle? If you don't like SSNs, have all the state DMVs and election authorities coordinate so that when someone first applies for a driver's license or first registers to vote, they are assigned a number that stays with them forever even if they move to other states and that can be used for credit check purposes.

There's a difference between it being used for identification and being used for authentication.

It was never supposed to be used for either, but today it's used for both. We probably can't get away from it being used for the first, but we can definitely get away form it being used for the second.

That's a good one.

Some security wonks have suggested that USGOV just publish everyone's social security numbers and names on their website, announcing their move 12 months in advance. It would destroy the ability of anyone to use knowledge of an SSN as any kind of password on my life.

The wonders of Obamacare just never cease, do they?

What does Obamacare have to do with poor security practices for Medical records?
To a hammer , everything looks like a nail.

Well this is a real shoker. After all we've had HIPPA in effect for 20 years now so you'd think we were all safe because all these medical and medical insurance providers were mandated to protect our personally identifying information. Seems odd that with such a requirement in place we don't hear much about either punishment or compensation for the breaches.

The second P stands for "Protection," right?

Wait a minute, there is no second P!

Put a freeze on your credit reports.

Also see Krebs on Security:
http://krebsonsecurity.com/

A "security freeze"

http://krebsonsecurity.com/2015/11/report-everyone-should-get-a-security-freeze/

Scenario -- Large employers use such records for hiring decisions. Smaller employers eventually converge on hiring policies of mostly hiring those who have recently been working at large firms -- in effect using the larger firms for vetting. Individuals with hacked medical records which are likely to be interpreted negatively by employers end up in mostly marginal temp jobs. Stigma then tends to accumulate at the individual worker level through various means. Credit records deteriorate. Social capital decays (think 'Bowling Alone'). (General principle: You're only as good as your last major achievement but in an information economy negatives accumulate.) Such individuals increasingly drop out of the workforce and eventually some are awarded disability compensation. (A possible comparison is to having some sort of criminal record, theoretically in some cases expungable but now with today's Darkweb and other information pipelines ..) At a more abstract level -- are labor markets only as efficient as the guess-work estimates of human resource departments?

Comments for this post are closed