Healthcare Matters

A recent hack on a small medical practice provides instructive example of the risks involved with electronic medical records. The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had deeply penetrated its computer network and took control of a server where e-mails and electronic medical records were stored. Unlike the embarrassing and careless mistakes that are typically associated with healthcare data security breaches, this time around the hackers not only targeted this particular physician practice, but they made no attempt to keep their crime a secret. According to Bloomberg news, “they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.”

The doctors turned the server off and notified the authorities, refusing to pay the ransom. “This story is so ironic — most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors — in fact, nobody — can access these records.”

I have to admit that I have a little problem with those quotes. Why would local newspapers publish patient health records, regardless of the circumstances? Last time I checked, trafficking in stolen goods is known as fencing –and it, too, is an illegal activity. Since when did a market for hacked medical records develop?

The Surgeons of Lake County aren’t the first health care provider to be targeted by extortionists. The incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records. The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.

Really? I read these stories with a great deal of interest and cynicism because they inevitably reveal the fact that just about everyone associated with the breach is clueless. Obviously the hackers are sophisticated –and malicious. If the question is, “why did they do it,” the answer is simple. Because they could and/or because at some point along the way they had a reason to believe they might have a chance to collect money for their trouble.

Based on the number of practices moving to electronic health records, “many more” of these types of breaches should be expected, Kam wrote in an email. Until now, medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money.

One case involved Express Scripts, the large prescription- drug benefits manager (PBM), and a threat it received in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including identification numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually told 700,000 customers that their information could have been exposed. Not an ideal outcome, and I clearly “get” the fear people have, but for providers who meet a responsible threshold, in terms of the security provisions they enact, why not consider treating them like the victims, instead of villains? The crooks are the hackers and if that fact was more fully appreciated, our fear would become their only leverage.

Network data security risk is not a reason to reconsider EMR implementation. These stories should be instructive, not obstructive. Shopping for network security expertise parallels other software and/or IT supplier selection processes. You’re going to find yourself forced to choose between a big, branded firm whose most compelling feature is that they’re a big, branded firm; you’re going to find smaller, best in breed providers whose selling point is their referenceability; or you can shop through your favorite consultancy and entertain several distinct options.

Source: Bloomberg News

—Tom Finn