Most of what I’ve read and previously written about electronic health records has been about making them work better or getting more clinicians to use them. Security of patients’ on-line data hasn’t been a major topic of concern. I’ve assumed that this was because these concerns had mostly been addressed back in the late 1990s during the development of the Health Insurance Portability and Accountability Act (HIPAA), or because those creating systems to allow medical information to be internet accessible – like those coalitions building dedicated Health Information Exchanges and companies like Microsoft, Google, and BlueCross BlueShield insurance plans – have resolved the security concerns.
However, I just read the cover story in the May 31st National Journal (“China’s Cyber-Militia”), which made me question these assumptions. The article doesn’t mention healthcare or electronic medical records, but it makes me very concerned because it discusses how Chinese hackers (or hackers working through computers based in China) have been responsible for serious industrial/utility computer breeches, and how government and private sector officials at the highest level are very concerned about this and the trend towards even more cyber-infiltrations.
If I had heard this third-hand I’d be inclined to dismiss it as extremist or Luddite hysterics. But the National Journal is solidly in the mainstream of responsible journalism, and even when their article cites reports from other publications (such as the New Yorker) they reinforce the point with information from other sources and direct interviews with knowledgeable insiders.
Some of the specific points in the article that made me sit up and take notice were:
The February, 2008 blackout affecting 3 million people in South Florida was probably caused by “a Chinese PLA [People’s Liberation Army] hacker attempting to map Florida Power and Light’s computer infrastructure apparently made a mistake. “The hacker was probably supposed to be mapping the system for his bosses and just got carried away and had a ‘what happens if I pull on this’ moment.” The hacker triggered a cascade effect, shutting down large portions of the Florida power grid, the security expert said. “I suspect, as the system went down, the PLA hacker said something like, ‘Oops, my bad,’ in Chinese.”
The article also discusses how the massive August 2003 blackout in the Northeastern US is believed to have been due to Chinese hackers – despite the public explanation that it was caused by overgrown trees in Ohio hitting high voltage lines.
The article even delves into how Chinese hackers are infiltrating corporate computer systems to steal company technology and business secrets, plans and strategies. For example, it includes a security expert’s story about one company’s experience of entering into face-to-face business discussions in China where “the Chinese based their starting points for negotiations on the Americans’ end points.” As Joel Brenner, the US government’s chief counterintelligence officer is quoted in the article, “If you travel abroad and are the director of research or the chief executive of a large company, you’re a target.”
Security of Online Health Records
Two potential weaknesses of utility and corporate computer systems may be because their systems are from third party vendors or were built with older architecture designed before on-line security was a concern. Because the computer systems for electronic health records and information exchanges are being built by the companies who are using them or have ongoing contracts for maintaining them – and are probably being built with newer software architectures – perhaps they are better protected.
The other reason why online health records may be more secure than utility or corporate systems is that hackers probably don’t have the financial or geopolitical incentives to break into medical record depositories. However, I can imagine situations or incentives for groups (aside from pure nihilism) that could change that – butI don’t want to speculate here and give anybody any ideas.
But if one of the great potential values of electronic medical records is having them joined together into Health Information Exchanges, and hackers are apparently able to infiltrate and wreak havoc in sophisticated computer networks, then I hope those developing EMR and HIE systems are really paying attention to security issues. If patients have concerns that their personal information is hackable, this could lead to a tremendous backlash against the use of a technology that should be very valuable for improving the quality of care and reducing the long-term growth in healthcare costs.