The state of healthcare IT security: are Americans concerned enough? | WeLiveSecurity

The state of healthcare IT security: are Americans concerned enough?

The privacy and security of medical records is a matter of concern to many Americans now that most are now stored electronically, but is there cause for concern? And who is most concerned?

The privacy and security of medical records is a matter of concern to many Americans now that most are now stored electronically, but is there cause for concern? And who is most concerned?

With the health records of most Americans now stored, in whole or in part, on computers, it seems timely to ask how people feel about that. Are they happy with this aspect of healthcare evolution? Are they concerned? Do they have reasons to be concerned? This article examines these questions and supplies some numbers that may provide answers.

[Update, August 18, 2014: “Hack of Community Health Systems Affects 4.5 Million Patients” is reported in the New York Times, which cites the figure of 24,800 medical records exposed per day in 2013, detailed in this article.]

Cause for concern: numbers

When you ask people how they feel about anything health-related you tend to get a wide range of responses and some of them are, understandably, personal and even emotional. So let’s start with some relatively clinical facts, like 24,800. That is the average number of Americans who, by my calculation, had their Protected Health Information (PHI) exposed, per day, in 2013.

I refer to this as my calculation because I derived it from a spreadsheet that I built out of the database that is published by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on the web page known in the healthcare IT world as “the wall of shame” (seriously, just Google: OCR wall of shame). The database contains all of the reports of PHI exposure required under the Health Insurance Portability and accountability Act of 1996 also known as HIPAA.

Every time I quote that figure of 24,800 records breached, per day, on average, I go check my formulas to make sure I have this number right, and I’m pretty sure I do, with a couple of caveats,

  • First, the official title of the page is Breaches Affecting 500 or More Individuals, and that describes the content of the database they publish, which covers 2009 through May of this year. In other words, that average of 24,800 for 2013 does not include breaches that year which affected less than 500 people, of which there were scores if not hundreds.
  • Second, my count is based on the year of the breach, or the final year in the case of a multi-year breach. Obviously, this could be different from the year in which the breach came to light. That’s one reason I am quoting 2013, because the numbers for 2014 are not going to be anything like “complete” until at least mid-2015.*
  • For reference, my total count for 2013 is 9,054,35. The total for all reports, from late 2009 to the most recent posting I captured (Minneapolis VA Health Care System, 5/22/14) came to: 33,738,538. So far in 2014, the count is about 1.5 million, but sadly the year is yet young in terms of breaches coming to light.

To be clear, I am not equating breaches with harm, but harm definitely occurs in some cases (a good source for insight on this would be the Ponemon Institute Survey on Medical Identity Fraud which estimated the financial impact to consumers at $12 billion in 2013). Many of the millions of records that are exposed each year don’t end up in the hands of bad people, but we know for sure that some do, and nobody has a good handle on exactly how many. For a well-documented example of how criminals sell and exploit personal information stolen from medical companies, see Brian Krebs’ article on the doctors hit by tax fraud earlier this year.

I definitely think the current state of IT security in the healthcare world is cause for serious concern, although some would say medical data breach statistics pale in comparison to the number of premature deaths associated with preventable harm to patients (recently estimated at more than 400,000 per year). However, data breaches and medical errors are not unrelated, particularly when greater use of IT systems and digital devices is often put forward as a way to reduce preventable medical errors. That is not reassuring, given some of the attitudes toward information security that I have observed in different parts of the medical world.

Cause for Concern: Attitudes

The recent SANS Health Care Cyber Threat Report, sponsored by threat intelligence vendor Norse and reported in detail by Dan Munro on Forbes, contains not only troubling numbers about healthcare IT security, but also reminds us that medical devices, many of which are actually computers, are at risk. For example, I am writing this article at Black Hat, an annual security event in Las Vegas known for revealing new vulnerabilities in digital devices and systems. Yesterday I had a chance to talk to Jay Radcliffe, the man who opened a lot of eyes to the vulnerability of medical devices when he hacked his own insulin pump at Black Hat in 2011. So I asked Radcliffe, himself a Type 1 diabetic, if things had changed since then, “Not really,” said Radcliffe, who has tried to raise awareness of security issues among medical device makers, adding, “In fact, that’s the main reason I no longer use an insulin pump.” (You can read more about Radcliffe on the blog of Boston-based cybersecurity firm Rapid7 where his job title just happens to be the same as mine: Senior Security Researcher.)

Right before Black Hat, I was at an event called ChannelCon, put on CompTIA, the computer trade industry association. Channelcon is a great place to meet the people who actually sell and deliver IT products and services, from enterprises to small businesses. Those products and services include security, including firewalls, antivirus, encryption, authentication, backup and recovery and threat intelligence. I asked a number of IT integrators and managed service providers about selling security in the medical sector, specifically doctors’ offices. The answer I heard loudest and most often? “Doctors don’t care.” When I asked “But what about HIPAA?” The answer was: “They just don’t care.”

Obviously this is not true of all doctors, but I’ve now heard this refrain enough times to think there is a real problem here. After all, aren’t doctors required to protect electronic health records by professional ethics as well as law? Is there some sort of collective denial going on here? I think that question has probably come up at OCR, which continues to find that even large and well-funded hospital systems not meeting HIPAA privacy and security requirements. And before anyone says these are too onerous or were imposed too quickly, consider this:

“We are looking at a federally-mandated standard for security practices within companies involved in healthcare or handling health-related information. Note that these are considered practices necessary to conduct business electronically in the health care industry today. In other words, normal business costs, things you should be doing today…”

That is a direct quote from my first conference presentation on the importance of getting ready for HIPAA’s privacy and security requirements, delivered in March of 2001. That’s right, more than 13 years ago. The point being, health information on computer systems should have been protected in 2001, before the rules and regulations were finalized, before the compliance deadlines, before the first fines were levied, before the multimillion dollar fines, of which we are likely to see more before the year is out.

Signs of Concern

With all these causes for concern, how concerned are Americans? Not to be glib, but the answer really depends on whom you ask. For example, earlier this year we asked 1,734 American adults if they were concerned about the security and privacy of their electronic patient health records and 40 percent said they were, while 43 percent said they were not. However, the other 17 percent said that, to their knowledge, their health records were not in electronic format. So if we take them out of the equation, the “concerned or not?” question breaks down as 48 percent yes, versus 50 percent no.

Within these numbers, there are some interesting demographic variations. For example, those aged 45-54 are more likely to be concerned than those 18-44 years. Concern was greater among those with college education and among those with children in the household (54 percent vs. 46 percent). Concern was expressed more often among those at the upper and lower ends of the household income scale, with those in the $75K to 90K range concerned less often (45 percent).

I should point out that this survey population may not be entirely representative of the whole adult population. For a start, it is a subset of the 2,034 people to whom we put this question: “How familiar, if at all, are you with the recent NSA news about secret government surveillance of private citizens’ phone calls, emails, online activity, etc.?” The people we quizzed about medical records were “at least somewhat aware” of the Snowden/NSA revelations, about 85 percent of the original sample.

Just under half of American adults who are sufficiently in touch with news and technology tend to be aware of both the Snowden revelations and the fact that their health records are stored electronically are concerned about the privacy and security of those records. Shouldn’t we be seeing a greater level of concern than this? In my opinion, the answer is yes, but that alone is not likely to change many minds. What will change minds is something like the Snowden or Target of electronic health records, a revelation or incident so far-reaching and egregious that just about everyone in the country sits up and takes notice. If that happens there will be headlines, accusations, letters to congress, recriminations, investigations, jobs lost and eventually huge fines and damage awards.

It would be very sad to something like that embroil see the healthcare industry in America, in which so many people work so hard to improve the lives of others. But unless attitudes change and numbers improve, and unless our government decides to get serious about reducing cybercrime, the outlook is stormy at best.


Note that additional results from the survey referred to in this article, which was conducted by ESET in conjunction with Harris Interactive, were published here and additionally here.

*The issue of when breaches occur versus when they come to light can be seen in this article in Health IT Outcomes about the 2013 statistics. It was written early in 2014 and cites a smaller number of total breaches: 8 million versus the 9 million that are listed as “2013” by July 0f 2014 (to paraphrase the Dude: “New breaches have come to light”). However, the article goes on to quote a very interesting source that asserts the total breach numbers are way higher than is reported.