Bad medicine: Can poor data security result in death?
In this case there are life and death considerations. The frightening reality of the worst case scenario is made clear by the Federal Trade Commission's site on Medical Identity Theft:
Every time a thief uses your identity to get care, a record is created with the imposter's medical information that could be mistaken for your medical information – say, a different blood type, an inaccurate history of drug or alcohol abuse, test results that aren't yours, or a diagnosis of an illness, allergy or condition you don't have. Any of these could lead to improper treatment, which in turn, could lead to injury, illness or worse.
Medical identity theft: Mining silver from a gold mine
Medical records could become compromised during transmission, on the patient's computer, or at any number of multiple points of storage.
Worse, the Zeus trojan has been documented to sift through and transmit data and transmit massive amounts of targeted credential information back to its cybercrime base, often measured in the gigabytes:
The [Mumba] botnet uses four different variations of the Zeus malware to steal social networking credentials, bank account details, credit card numbers and email communications from the zombie machines.
[It] supports the latest Microsoft operating system, Windows 7, and also is capable of stealing HTTP traffic from Mozilla Firefox users,
Keeping one operating criminal theory in mind provides a simple perspective: As more digitally stored medical information becomes identifiable it will suffer the same risks of mining as other credentials such as banking logins. Commoditizing the medical insurance information into an identity bundle is definitely an incentive. Here's how this would work:
- While medical coverage is deemed a lower-tiered income generator, cybercriminals rarely leave any money behind.
- In the same manner a gold mine may be mined for silver after the gold is all gone, the coder cybercrime specialist may easily rewrite his or her malware to rescan all infected systems under their control for additional revenue after tapping out bank accounts and credit cards.
- The retrieved information would be sold by a cybercriminal known as a vendor, auctioning off the full identity with medical coverage as a ëvalue add' to squeeze a few more dollars out of their more traditional criminal clients who range from street gang soldiers to cartel burnouts.
- Identity thieves could use a variety of identities to gain access to medical treatment whenever they chose to, at a cost estimated under 30 to 50 dollars.
My prediction is that we can expect automation of crime via malware to evolve into mining previously compromised systems for stored yet unencrypted emails as well as malware targeting the HTTPS traffic which more and more medical companies are relying on for patient confidentiality.
Online medical record storage: Bad medicine?
Even with HIPAA in place and all concerns addressed, is there a way that the general public will feel safer about their medical information being kept online?
Recently, a nationwide poll conducted by Stay Safe Online and the Anti-Phishing Working Group showed the level of concern for the loss of personal or financial information to be just above concerns of job loss and even topped the concern of the loss of medical coverage, a hot topic in the recent 2008 elections.
Fusion: Loss of personal information and health care
There are a fusion of concerns over medical coverage, record storage and patient data security. Obviously this data shows national anxiety could exist about any two of these three factors. The loss of health care for family and the loss of personal information, can be considered to be two elements of the perfect storm. Identity theft can involve your medical coverage. ESET has covered the perspective of job loss due to malware but medical identity theft through malware or data breach is relatively unknown.
55 percent of those polled in ESET's 2009 survey felt uncertain to unsure that online storage of medical records would remain secure.
One theory is that this could be considered as convergence into the loss of medical coverage; after medical record breaches a victim's coverage could be affected both by fraudsters who auction off the identity as well as potentially being illicitly used as risk assessment by gray-market insurance companies.Either way, only 8 percent of those surveyed are completely certain that medical record storage online will remain secure and 55 percent are unsure to very uncertain about online medical record security. Note also that this ESET poll was taken over the phone not through the internet and that internet polls may reflect a stronger confidence in online security.
Existing medical record data breach risks
Right now there are data breaches of physical records which occur all of the time. Aetna, one of the most consumer-recognized and valued names in the insurance industry, recently suffered a breach of physical medical records which made the news. Medical insiders relayed speculation to me that these records may have been transported outside the hospital after most likely being ëchecked out' by an employee or contractor who then lost physical custody of them.
While physical security will always continue to be a risk the always-available nature of online accessible records means that compromise could not just occur only at a single point of storage but across many separate storage sites such as a doctor's PC, the hospital records room, and the patient's PC, or even while in transit between any of these points.
Worse, cleaning the mess up could be more tedious than cleaning up a financial identity theft. The Federal Trade Commission's site on Medical Identity Theft states:
Unlike credit reports, there is no central source for your medical records. You need to contact each provider you do business with – including doctors, clinics, hospitals, pharmacies, laboratories and health plans – that is relevant to your experience.
Additionally, this sophisticated element of fraud often goes overlooked until a consumer digs deeply into their own medical past and digs deeper still into their own pocket for the costs:
It is likely that you have to complete a form and pay a fee to get a copy of your records. Keep track of your communications with your health plan and providers, including copies of postal and email correspondence, and a log of your phone calls, conversations and activities.
Without ID theft being involved I've had to spend upwards of $300 to obtain a full medical record for a family member – I have yet to determine whether any law on identity theft may provides remedy from those up-front costs.
How hospitals and medical providers can help
Since the recommended course of action is to follow current identity theft procedures medical providers may assist by waiving the costs of duplicate records if a good case can be presented to them regarding the identity theft. This could be easily accomplished by furnishing a soft digital copy rather than hard printouts. I suspect that digital copies may not be in the hospital's best interest even if they themselves digitally store the patient's records due to litigation, so this may be a challenge to implement.
Medical providers may want to include these tips from the FTC in their messaging to their clients:
Be on guard when you use the internet, especially to access accounts or records related to your medical care or insurance.
If you are asked to share sensitive personal information like your Social Security number, insurance account information or any details of your health or medical conditions on the Internet, ask why it is needed, how it will be kept safe, and whether it will be shared.
Look for website privacy policies and read them: They should specify how site operators maintain the accuracy of the personal information they collect, as well as how they secure it, who has access to it, how they will use the information you provide, and whether they will share it with third parties.
If you decide to share your information online, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL that begins “https:” (the “s” is for secure).
Remember that email is not secure.
Identity theft can involve your medical coverage. The loss of health care for family and the loss of personal information are two elements of the perfect storm that nobody wants to suffer through.
Prevention of breach is the first priority. Proper anti-virus protection is just one layer of protection which consumers and HIPAA compliant organizations need to employ in order to defend against this threat.