With the recent discovery of the ShellShock vulnerability affecting a large number of computers, the question comes up again: How secure is medical data? Thanks to the federally mandated push to transfer medical data from paper charts to computer databases, most if not all of this data is now fertile ground for hackers. As pointed out in this article medical data is more valuable to hackers than stolen credit cards. The stolen data is used to create fake IDs to purchase drugs or medical equipment, or to file made-up insurance claims. Hackers want our medical data and hackers usually find a way to get what they want.
In going from paper to silicon, we have traded one set of disadvantages for another. Paper charts are bulky, require storage, can get lost or destroyed, are not always immediately available, can be difficult to decipher, and so on. Electronic heath records (EHR) systems were intended to avoid these disadvantages and to a large part do; however, we have traded the physical security of the paper chart, which can be locked up, for the insecurity of having our medical data exposed to open ports on the Internet. And make no mistake, the Internet is a wild and scary place.
My own website, certainly not containing anything worth much to hackers, is subject to multiple daily bruteforce password guessing attacks to login. Fortunately I have security software in place, but despite this the site was successfully hacked in the past from Russia. There is no doubt more important sites than mine are subject to more intense attacks. Millions of credit cards have been stolen in attacks on Target and Home Depot. Celebrity nude photos have been stolen from “secure” sites. And if you are not worried about hackers getting your medical data, thanks to Edward Snowden’s revelations you can be sure that it is freely available to the NSA.
But certainly, you ask, given the sensitivity of the data, EHRs must be amongst the most secure of all computer systems? Well it’s difficult to answer that question. Most EHR systems use proprietary software, so the only people examining the source code for bugs are the people that work for the EHR company. It is unlikely that any bugs found would be publicized; rather they would be silently fixed. As critical as some people have been about the existence of bugs in open source software, such as the HeartBleed and ShellShock bugs, at least there is a potential for such bugs to be found by outside code reviewers. There is no such oversight over the code of the EHR purveyors.
Even if one for the sake of argument assumes that EHR systems are secure from online hacking, they are still very vulnerable to what is known as “hacking by social engineering” or “social hacking.” Social hacking involves the weakest link of all security systems, the computer users: doctors, nurses, medical assistants, unit secretaries and others. People who use easy to guess passwords like “123456” or who tape the password to the bottom of the keyboard. People who get a call from someone pretending to be from IT asking for the user’s ID and password in order to fix some supposed problem. There are a large number of cons that rely on human gullibility that can be used to break into “secure systems.”
Besides these issues, I observed a great deal of laziness in regard to security when working in the hospital. Doctors would often log into the EHR system, review patient data, and then leave the computer to visit the patient room without logging out of the system. Anyone could sit down at that computer and view confidential patient information. Some of the systems would automatically log off after a few minutes, but even so there was plenty of time for a dedicated snoop to get into the system. And the problem can occur in doctor’s offices too, now that many exam rooms have a built-in computer.
Just yesterday at my eye doctor’s office I was left alone in the exam room for about 15 minutes while my eyes were dilating. Sitting next to me was a desktop computer running Windows 7, left with the user logged on. This doctor’s entire network lay vulnerable. How easy would it be to read patient files, or copy a rootkit or a virus onto the system using a USB drive? Real easy.
Bug-free and 100% secure software probably is a pipe-dream that can’t be achieved in the real-world. In addition, hospitals, with hundreds of computer terminals everywhere, some still running such outdated and vulnerable operating systems as Windows XP, and with busy, security-unconscious users like doctors and nurses, are a security disaster waiting to happen. Now that we have put all our medical data metaphorically into one basket, I am convinced it is only a matter of time before there is a massive data breach that will make the Target credit card breach seem trivial by comparison. Better training of medical personnel who use EHRs may help prevent this, and this should doubtless be done. But we will never have the level of security again that existed in the era of paper charts.
David Mann is a retired cardiac electrophysiologist and blogs at EP Studios.