Frankenstein Was an Amateur
There’s a big push in the U.S. right now to computerize health records so they can be more easily searched, transferred and analyzed. The potential benefits touted include greater portability – go to a new doctor and never worry about getting all your records for them – and wonderful new technologies like automatic checking for unsafe drug interactions.
Of course there’s a lot of money involved, too. The American Recovery and Reinvestment Act of 2009 (you know. The stimulus bill) created an Office of the National Coordinator for Health Information Technology and allocated billions of dollars to promote adoption of electronic health records (see article here). Yeah. That’s what the health industry needs: More bureaucracy.
The Spring 2009 issue of Rand Review (no link. I’m working from a hard copy) has an impressive array of charts and graphs and numbers claiming that health technology can save vast amounts of money. They even make the hilarious claim that computerizing people’s health records will improve privacy! Usually at this point I would put a list of links to articles about hacking incidents related to the subject I’m discussing but that doesn’t begin to show the magnitude of the problem. Instead, here’s one link to a Google search for medical records compromised: http://www.google.com/#hl=en&q=medical+records+compromised. It’s showing me 649,000 records when I run it today. Interestingly, there doesn’t seem to be a lot of duplications.
Note that I used the word “compromise” in the search because there are many different kinds of problems with electronic records (not just health related ones) beyond “hacking” by malicious and probably unknown people. In all areas of electronic records, insiders misusing their privileges to access records they shouldn’t is a common problem. And hardly a day goes by without news of someone, somewhere, misplacing a laptop that just happened to have tens of thousands of records (including social security numbers) on it.
To date, hospitals have not been eager to adopt centralized health record systems (see here). Security is probably one of the reasons. At least, I hope it is! Related to that is the vulnerability of electronic systems to outages. At the beginning of June this year the Indianapolis Star reported that Indianapolis’s Methodist Hospital was forced to turn patients away after a problem with their electronic health records system (See here. Interestingly, the original newspaper article seems to have disappeared).
In somewhat related news, it turns out that medical devices such as heart defibrilaters and new, cutting edge devices implanted directly in the brain, often have little or no security (See articles from Mindhacks, Schneier and The Journal of Neurosurgery – I love this last one just for the wonderful term neurosecurity.) Problems include lack of authentication for system updates and lack of encryption to protect information transfers. These are extremely basic measures! Ignoring them seems indefensible not to mention reckless. Without even those simple protections of data and code, the door is wide open for unauthorized manipulation (as the journal article proves).
Sometimes I write science fiction and this sets up exactly the kind of story I would write: Wily hacker digs through someone’s online health information records to discover the make and model of a device implanted in the victim’s brain, then uses the poor security on that device to directly take over the person’s body. It’s sneaky, nasty and rooted in existing technology. Here’s the thing about stories like that: It’s not just us writers who think of them. Hackers can be just as creative (and more determined to use the scenario, rather than just write it up).
Again, I want to stress that I’m not saying that we should stay away from the deadly evil of electronic health records. They are coming and there will be great benefits in the long run. But if we don’t slow down and start doing something about the inherent risks, the road is going to be chaotic and deadly for a lot of people.
linkedin
Technorati Favorites