Monday, August 22, 2011

Google Your Health Records

Capture Google Zuckergerg Search EMR

Capture  Google Apps

Another wake-up about privacy and security:

Huffington Post:

SAN FRANCISCO — Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see.

There were insurance forms, Social Security numbers and doctors' notes. Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.

At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized.

Electronic records can lower costs, cut bureaucracy and ultimately save lives. The government is offering bonuses to early adopters and threatening penalties and cuts in payments to medical providers who refuse to change.

But there are not-so-hidden costs with modernization.

"When things go wrong, they can really go wrong," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. "Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link."

Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers' compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.

The personal data was discovered by Aaron Titus, a researcher with Identity Finder who then alerted Hecht's firm and The Associated Press. He found it through Internet searches, a common tactic for finding private information posted on unsecured sites.

The data were "available to anyone in the world with half a brain and access to Google," Titus says.

Capture Google CA

Titus says Hecht's company failed to use two basic techniques that could have protected the data – requiring a password and instructing search engines not to index the pages. He called the breach "likely a case of felony stupidity."

The personal data was discovered by Aaron Titus, a researcher with Identity Finder who then alerted Hecht's firm and The Associated Press. He found it through Internet searches, a common tactic for finding private information posted on unsecured sites.

The data were "available to anyone in the world with half a brain and access to Google," Titus says.

In the wrong hands, health records can be used for blackmail and public humiliation. The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants.

Usually when personal data are exposed, it's the result of a network break-in by a hacker or a theft of computer equipment. Sometimes, it can be a simple case of someone mishandling the information.

Leaks are more likely the more data are passed around within the health industry's increasingly interconnected networks.

image

Dozens of companies can be authorized to handle a single person's medical records. The further away from the health care provider the records get, the flimsier the enforcement mechanisms for ensuring the data are protected.

That's exactly what happened at Hecht's company. Hecht declined to go into further detail about how the information ended up online. He says many of the Social Security numbers and basic details about people's injuries were part of a database his firm compiled from information regularly sent by the state.

As instances of data mishandling become more commonplace, government officials may seek greater control over security policies of companies with access to health care records that aren't currently regulated.

Can electronic medical information be insulated from hackers? When there is a will, there is a way…Perhaps key identifiers should not include social security numbers. There are other identifiers available from computer algorithms which factor in date of birth, previous addresses,  which are already in use by credit card agencies.

While there are strict HIPAA protocols, it falls upon companies and entities far removed from the point of care delivery. Caveat emptor to the patients!

 

Post a Comment