With all the excitement surrounding electronic health records in the new administration, including the $19 billion in the stimulus bill set aside to further their adoption, it's easy to forget the potential risks of moving our health information online.
One striking example of the possible downside came to us on Monday from Wikileaks via the Washington Post's Security Fix blog:
Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.
Wikileaks reports that the Web site for the Virginia Prescription Monitoring Program was defaced last week with a message claiming that the database of prescriptions had been bundled into an encrypted, password-protected file. Wikileaks also printed a copy of the ransom note:
I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.
The state discovered the attack on April 30 and soon after shut down the Web site. They are in the process of restoring the systems but no word yet on whether the attacker has been identified.
The incident serves as a vivid reminder of the dangers of uploading a massive amount of private data without first having the mechanisms in place to ensure it is secure. Even if Virginia manages to restore the systems and recover the lost health records, it's small consolation to the more than 8 million patients whose data is now sitting in the hands of a known criminal. While there is no indication yet who is behind the attack, numerous elements from health marketing organizations to organized crime would be willing to pay good money for such information.
Hopefully the federal government is taking notes from this incident and planning how to prevent a similar breach from occurring at the federal level, especially if they still plan on putting every American's health records online within five years.
COMMENTS
Government initiatives in the world of eHR are causing rapid change in the way patient records are managed. While the intent is to enhance patient outcomes and reduce costs, incidents like this recent one in VA demonstrate the inherent risk and downside associated with managing massive amounts of patient records in an electronic format, if not done properly. Government and private sector databases are subject to continued outside attacks. Unless the proper security measures and processes are put in place, exposure of patient records and information is inevitable. Secure data transfer products and solutions have been deployed at tens of thousands of sites over the past decade and help organizations avoid the embarrassment of losing valuable patient records.
Doug Witter
Director, Solutions Marketing - Healthcare
Axway
Doug Witter 05/20/09 03:28 pm ET
We are on the verge of DNA Credit Cards. A time when everyone is known to everyone else by the government issues DNA encoded smart card. We will be at once totally transparent to everyone else, not just medical records, but also totally able to be hacked and cracked by anyone with a little technical known-how. For the speed and convenience of technology we will sacrifice our freedon and security. Somethings are not worth the money we will save.
westj 05/07/09 09:35 am ET
We already have national databases of financial records. When someone steals your identity, it can take years to correct your financial records. However, all this costs you is time and money. What happens when the identity thief walks into a hospital under your name? Your medical records are updated with the thief’s information. So when you are rushed to the Hospital after a car crash or heart attack, will your records reflect the wrong blood type, allergies, prescriptions being taken, etc.?
In these situations legitimate hospitals, clinics and doctors will have entered the wrong data. No level of protection from hackers can correct a situation where identity thieves seek medical care under your identity. Until we issue National Identity Cards with biometrics, a true affront to our civil liberties, a national medical record system will be bad for your health.
Steven Kotarinos 05/06/09 10:09 am ET
I have had my site hacked a few times and I can tell you it really sucks!! I guess the US government needs to hire some more x-hackers.
Toronto SEO Guy 05/06/09 07:52 am ET