Privacy Ain't What it Used to Be

Posted on March 27, 2010 by Peter Vogel

A recent report that Web 2.0 (Facebook, Twiter, MySapce, et al) continues to encourage friends to share private information at an alarming rate is hardly a surprise. Research at a number of universities demonstrates that things are probably worse than most people image. For instance, the 2009 paper entitled “Predicting Social Security numbers from public data” from Carnegie Mellon explained how easy it is to predict patterns of data that leads to accurate predictions of Social Security numbers (SSNs) and birth dates from public data. Cyber thieves are taking advantage of the personal information on the Internet as we are well aware.

Electronic Health Records (EHRs)

To make matters more interesting the expansion of EHRs over the next four years will expose more personal medical information on the Internet. The US deadline of 2015 implementing all EHRs may sound great to some, but we should be concerned about how well that personal information is protected. Actually the EHRs may make the personal information a bigger target to cyber thieves. Recent warning about cyber threats from the FBI and DHS should make us all uneasy.

SSNs Used for Personal Identification

As many of us remember for many years health insurance companies used SSNs for their insureds’ account numbers and a number of states used SSNs for drivers’ license numbers.  So there are millions of historic records on US citizens that include SSNs. As a matter of fact, millions of Internet court records include divorce decrees, motions, and affidavits with SSNs, drivers’ license numbers, credit card numbers, and bank account numbers. Many states now limit posting of this personal information on the Internet, but records from the past abound with personal information. Given our open government view of open records laws which sprang forth after Watergate in 1972 most people think government and court records should be open, but a hidden danger lurks in protecting personal information within those court records.

Tags: , ,

Is the US Cybersafe? Probably Not!

Posted on May 4, 2009 by Peter Vogel

After a three-year study a panel (of former military leaders and IT professionals) from the National Academy of Sciences reported that the US has no clear military policies for cyberattacks. Notwithstanding a recent blog about the NSA exceeding its authority to intercept email, we are not much safer from cyberattacks. One would have to live under a rock to have not noticed the significant number of system breaches. As a matter of fact as pointed out in other blogs, LexisNexis just warned 32,000 individuals about data breaches that personal information may have been improperly accessed in a credit card scheme as far back as 2004.

Proposed Federal Legislation to Update FISMA

The US Congress will be considering an update to FISMA (the Federal Information Security Management Act) called the "U.S. Information and Communications Enhancement Act of 2009." This proposed Act will create hacker squads to test defenses of agency networks, and the agencies will be required to show how they can effectively detect and respond to cyberattacks. Currently there are only about five federal agencies who conduct this type of testing.

Cyberattacks From Within

A former Sysadmin (System Administrator) recently pled guilty to a charge of cyber extortion by threatening his former employer and faces up to five years in prison and a fine of $250,000. After the Sysadmin was terminated last year he complained about the severance and threatened to cause extensive damage to his former employer’s systems. Apparently he left many back doors in the systems he managed that allowed him to enter and cause havoc, which of course as a Sysadmin he had the authority to do so.

How Safe Should We Feel?

Hopefully the US should get control of cyber security because it seems patently obvious to the most casual observer that at this time the US is extremely vulnerable. Maybe spending the US should $19 Billion on cyber security rather than on Electronic Health Records (EHR) since the US is so dependent on the use of the Internet today, and the US’s dependence on the Internet will only increase. Cyber safety is more critical than EHR.
 

Tags: , , , ,

Will $19Billion Actually Buy Digital Health?

Posted on April 12, 2009 by Peter Vogel

Merely spending $19B to spur the use of electronic health records (EHR) does not guarantee that the plan will succeed. A study funded by the Robert Wood Johnson Foundation reports that only 9% of the US hospitals have EHRs. As well, the American Medical Information Association reports that there is need for about 70,000 medical informaticians who are trained in medical records and claims, and clinical care. It seems unlikely that EHR will succeed without properly trained individuals since they are critical to the success of implementing EHRs.

Big Divide

With only 9% of the US hospitals who actually have EHRs that means millions of people in rural US are currently “have nots.” However no question that there are many hospitals implementing EHRs since there are major medical systems from EPIC Systems, Eclipsys, Cerner, GE Healthcare, McKesson, and Siemens AG being implemented throughout the US. These various medical systems provide EHR for millions of patients. For example Epic claims to have 175 customers representing about 22% of the US population, approximately 70 million patients. So clearly there are a significant number of patients who either have EHRs now, or will soon.

HIPAA Connection

I have never been a big fan of HIPAA (Health Insurance Portability and Accountability Act of 1996) given the cost and benefit to patients. It seems pretty clear that the 18 elements protected by HIPAA are easily available from various sources on the Internet. It’s not hard to find home addresses, phone numbers, social security numbers, birth dates, email addresses, to name a few. It’s not clear how much money was spent on HIPAA, and to what end? Medical care providers spent a fortune, and many vendors profited, but it’s not clear that medical privacy is any better today than it was when HIPAA was created in 1996. Without question the growth of the Internet has made personal information a greater challenge to protect.

So it seems highly unlikely that just spending $19B will ensure that EHRs will be a success.
 

Tags: , ,