In The Era of Cloud Health Data, Safety Is Not Guaranteed
As many as 80 million Americans affected by the recent hack into Anthem's medical systems. Sound Medicine host Barbara Lewis spoke with Titus Schleyer, director of the RegenstriefCenter for Biomedical Informatics in Indianapolis to learn what protections are in place to secure medical records, how the medical world is fighting off hackers, and what, if anything, you can do to protect your personal information.
Titus Schleyer: Breaches like Anthem's highlight the fact that there is a lot of medical information out there, but it's not new, and the people who keep the information need it for doing their jobs.
Sound Medicine: How can hackers use the information they obtained from the Anthem hack: medical data, social security numbers, mailing addresses, and the like?
TS: I've thought about this question. If your medical record were out on the internet, who would do anything with it and what would they do with it? The answer is fairly little. When we think about areas where disclosing your medical information makes a difference, it's usually in employment, and life insurance companies use it. But most patients' records if they were published on the internet would make for quite boring reading. What's really much more important, as in the Anthem case, is social security numbers, dates of birth, addresses, and so on.
The average hacker wants to get money, so they'll open up a credit card account in your name, using your data, draw as much off it as they can, and then hit the next victim. Or they'll file a fraudulent tax return in your name, and cash a check before you're even aware that happened.
SM: How seriously do healthcare providers and insurance companies take our privacy? Obviously we have this one huge case, but it's not the only one.
TS: This has been going on for a while. [The Anthem hack] made a lot of waves because this is such a large volume case. Providers and people who keep our medical information have gotten more conscientious about it, partially because of the Health Insurance portability and accountability act [ HIPAA], which has been in effect since 1996. And that act specifies very strictly what security and privacy safeguards you have to have in place.
I'm a healthcare provider myself, I'm a dentist, I've worked at several academic medical centers since HIPAA was passed. People take it seriously, because the penalties for disclosing medical information are quite steep, and no medical center wants to be asked to pony up for large fines. So there's a lot of motivation. The days are gone when a hospital would sell the data of new mothers to CVS so they could get coupons in the mail. That's disallowed by HIPAA.
SM: But there's also a clamor for better records, and better ability to share them so we get better care. So how do you balance the privacy with the access?
TS: Those purposes you just mentioned are explicitly allowed under HIPAA. When I treat a patient and I need medical information from their physician, of course I should not have to jump through too many hoops to get it. And that's perfectly legal. That's what HIPAA wants to safeguard. At the same time it says I don't really need access to all patient records, just to the records of people that I treat. Insurers, health IT companies and others who have access to medical information have to have a contract in place with the hospitals that they work with that ensures they are also applying steep safeguards to protect medical information.
SM: But if there's more access between states and between healthcare providers, does that also give hackers an easier way in?
TS: That is correct. The more places you store medical information in, the more points of attack you give the hacking world. Insurance companies, which used to have closely guarded databases that didn't feed off live feeds were more secure at that point. They were not out on the internet. But the more people store information on network-accessible computers, the more attack points you have.
SM: Is it possible to make any of this information perfectly safe?
TS: The answer to that is a categorical no. I would categorize it as an arms race. The researches come up with new algorithms that are stronger, harder to break, and the hackers come up with more creative methods to break these keys.
The other thing that helps hackers as well as encryptors is the increasing computing power. So the more computing power you have, the easier it is to attack a particular target, because you can try out more combinations faster.
And the question is: how much do we invest in information security ? It's just like insurance. To what degree do you insure your house? You insure it balancing the cost of the insurance with the risk, you think, of an adverse incident.
SM: So you think about banking as an institution that would take this very seriously. But should healthcare?
TS: Definitely. I don't think a social security number stored in a hospital is of lesser value than one stored in a bank. We should use the same standard there.
SM: Anthem is saying the medical information hasn't been compromised, just the personal information. But could medical information be used for medical fraud?
TS: When I think of medical fraud I think of Florida, I think of Medicare, I think of over-billing. For a hacker to use medical records for fraudulent purposes, to get reimbursed for something, it's not that it's impossible, it's just not a wonderful business model. Let's say your credit card gets stolen. Someone can go on Amazon and order something using your credit card. So the award there for the hacker is immediate. To commit medical fraud using a big data set of patients, that will take a lot of creativity to make some money off of.
SM: Can regular people do anything to make sure that their personal data is safe at their doctor's office?
TS: It's essentially out of your hands. [During a visit to your doctor] you fill out forms, you get interviewed, you get lab tests done. It's really the office that stores your information. And in many cases actually it's not even the office. At IU Health all of the physicians are on [an electronic medical records system], which is managed by a corporation. So the individual physician has no real input on how secure this is. And then beyond that there is an increasing trend toward cloud-based storage, even in healthcare. So some big companies don't even know where their data are, because they're in the cloud. In essence as a patient you are so removed from control over your information that you can't really do anything.
SM: So if we find out that our personal information is compromised, is there anything we should do?
TS: Take the normal steps. I've had a credit freeze on the three credit report providers ever since Pennsylvania passed that law. So my credit history is locked up. Unless I unlock it for a particular purpose nobody can access it, which means they also can't use it to open up an account in my name. So it's a great way not to worry too much about identity theft.
SM: Any other things we should be thinking about?
TS: One thing is tax returns. Many times fraudsters file a tax return for you. They get the check, they cash it before you actually know it. And one thing that has more of a connection to medical records: if your children are, let's say, with Anthem, you want to protect them also from identity theft. Because they don't have a credit history, so their social security numbers can be reused.