Mandatory Health IT and Cybercrime

If the mandatory health IT faddists have their way, your doctor’s office, your hospital, the lab that does your tests, and your Regional Health Information Organization (RHIO, the “key to the National Health Information Network” according to Wikipedia) will become prime targets for hackers and carders.

The question that should be asked, but isn’t, is whether the cost of trying to secure electronic health records, and cost of the inevitable security breaches, is less than the administrative overhead created by the current system of distributed records kept in a variety of formats. You can stop using a credit card if its security risks begin to outweigh its benefits. You can’t do that with mandatory electronic health records.

Proponents of electronic medical records say that health care records should be computerized and shared because records in other industry are computerized and shared.

┬áIn fact, other industries typically maintain data on private data networks. Information sharing is generally limited to small, relatively standardized pieces, even in banking. Health care IT gurus, in contrast, envision a system in which everyone’s entire medical history, contact information, and means of payment is instantly available to a very large fraction of the 14 or so million people employed in the US health care industry.

The security problems inherent in vetting a relatively simple thing like a purchase using a credit card should make people seriously consider the danger posed by large, centralized, easily available electronic health records.

On March 31, 2009, hearings on credit card industry data standards and cybercrime were held by the U.S. House of Representatives Committee on Homeland Security. They provide a fast introduction to the security problems faced by credit card issuers, and the merchants who accept them. Andrew R. Cochran of the Counterterrorism Blog outlined the extent to which stolen credit card records and associated information have been used to finance terrorism. Other experts in credit card processing outlined the different concerns common to people involved in different parts of a credit card transaction.

Testimony by Rita M. Glavin of the Criminal Division of the U.S. Department of Justice outlined how credit card data is targeted by specialized criminal enterprises and sold to other groups to facilitate their illegal activities. She noted that perfect security is impossible even under the new Payment Card industry Data Security Standards for merchants and third party processors. She also pointed out that “merchants and processors who hold individuals’ sensitive financial information are prime targets for hackers and carders.”

M. Eric Johnson of the Center for Digital Strategies at the Tuck School of Business has chronicled the “Data Hemorrhages in the Health-Care Sector” in a recent paper in Financial Cryptography and Data Security. Even with HIPAA, file sharing is a major source of health care information leakage. Fraud rings also operate to obtain and sell medical identities obtained from stolen laptops and inadvertent postings on peer-to-peer networks. Among other things, the medical identities are used by people wanting free access to expensive medical care. In the process, their treatment is added to someone else’s medical record rendering that record worthless for guiding treatment.

Unfortunately, government at all levels has a poor record of securing its data networks. In some 2009 incidents, the State of Maryland lost personal information on about 8,000 employees in the mail. Student records from the Nashville Public Schools were found on the street. New York City Housing Authority records on resident names, addresses, Social Security numbers and dates of birth turned up in the street. And Sonoma County sheriff department employee records were stolen from a laptop in the trunk of a police car parked at the Santa Rosa Municipal Service Center.

Comments (4)

Trackback URL | Comments RSS Feed

  1. Bruce says:

    Linda, agree with you if EMRs are imposed by the government. But have I not read at this very site about successful private sector users of EMRs?

    Shouldn’t we distinguish between Govenment-backed, demand side systems and private sector, supply side innovations?

  2. Vicki says:

    This report is a bit unnerving.

  3. Linda Gorman says:

    Bruce, what is vountary about the national health IT plans and the ones being done at the state level? The systems in other industries have been developed voluntarily. In health it hasn’t been voluntary at all.

    The record keeping system an individual physician or hospital uses is not the same as a federally required EMR or federally imposed interoperability standards. We already have standardized file sharing–take a Word, Adobe Acrobat, or text file and put it on a flash memory stick. File is shared. Want to send file over the web? Password protect it or encrypt it with PGP and ship it off.

    What we don’t have is centralized file sharing that will let people rummage through our data at will. Government health care enthusiasts don’t like this and want to change it.

    Under HIPAA, the government makes it hard for families and physicians to get health information while making it perfectly legal for government to rummage through anyone’s record at any time. But rummaging is limited by the fact that everyone’s data system doesn’t have to be connected. The goal of national health IT is to change that. The claim that this will reduce costs and improve care are just the (likely untrue) selling points.

  4. firearms says:

    Great read, I just now passed this onto a friend whom was doing a little research on that. And he actually bought me lunch simply because I uncovered it for him laugh So allow me to rephrase that: Thanks for lunch!