Banking as the Standard Healthcare Should Look Up To On Medical Information Security?

At past posts "Don't Worry, Your Electronic Medical Records Are Getting Safer With Every Passing Day", "Another Episode of "But Don't Worry, Your Records are Safe..." and "Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure", "Don't Worry, Your Records are Safe - Part IV" and others, I wrote on the issue of medical record security.

Banking has been held as the standard as to which medicine has been compared, with medicine being called archaic and behind the times for its reliance on paper.  Banking security is cited as a reason why electronic medical records can also be secured.

There's this:

Fraud Ring In Hacking Attack On 60 Banks 

June 27, 2012

Some 60m euro is stolen from bank accounts in a massive cyber raid, after fraudsters raid dozens of banks around the world.

By Pete Norman, Sky News Online

Sixty million euro has been stolen from bank accounts in a massive cyber bank raid after fraudsters raided dozens of financial institutions around the world.

According to a joint report by software security firm McAfee and Guardian Analytics, more than 60 firms have suffered from what it has called an "insider level of understanding".

"The fraudsters' objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research - Operation High Roller," the report said.

"If all of the attempted fraud campaigns were as successful as the Netherlands example we describe in this report, the total attempted fraud could be as high as 2bn euro (£1.6bn)."

The automated malicious software programme was discovered to use servers to process thousands of attempted thefts from both commercial firms and private individuals.

The stolen money was then sent to so-called mule accounts in caches of a few hundreds and 100,000 euro (£80,000) at a time.

Credit unions, large multinational banks and regional banks have all been attacked.

Sky News defence and security editor Sam Kiley said: "It does include British financial institutions and has jumped over to North America and South America.

"What they have done differently from routine attacks is that they have got into the bank servers and constructed software that is automated.

"It can get around some of the mechanisms that alert the banking system to abnormal activity."

The details of the global fraud come just a day after the MI5 boss warned of the new cyber security threat to UK business.

McAfee researchers have been able to track the global fraud, which still continues, across countries and continents.

"They have identified 60 different servers, many of them in Russia, and they have identified one alone that has been used to steal 60m euro," Kiley said.

"There are dozens of servers still grinding away at this fraud – in effect stealing money."

That's all very reassuring.   Let's put all of our personal medical secrets online ASAP.  Don't worry, your information's safe and secure.

-- SS

More Electronic Medical Record Breaches: You Could Not Do This With Paper

I have written repeatedly on the dangers posed by poorly managed health IT regarding information breaches.  See "2011 Closes on a Note of Electronic Medical Record Privacy Breach Shame" and other posts at this query link:   http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality

Now this, from Kaiser Health News and The Washington Post:

As Patients' Records Go Digital, Theft And Hacking Problems Grow 

By David Schultz

Jun 03, 2012

As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials.

Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people.  

With paper, you'd need a stream of trucks to accomplish this magnitude of theft:

On May 14, federal prosecutors charged one of the hospital's medical technicians with violating the Health Insurance Portability and Accountability Act, or HIPAA. Prosecutors say that over a 17-month period Laurie Napper used her position at the hospital to gain access to patients' names, addresses and Medicare numbers in order to sell their information. A plea hearing has been set for June 12; Napper's attorney declined comment.

Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients' files onto a personal laptop, which was stolen from the contractor's car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital press release, those files included names, addresses, and Social Security numbers -- and, in a few cases, "diagnosis-related information."

I add that they could also probably have booted the laptop from alternate media, and/or removed the hard drive and inserted into another computer, to access the contents.

Ronald J. Harris, Howard University's top spokesman, said in an e-mail that the two incidents are unrelated, but declined to answer further questions. In its press release about the stolen laptop, the hospital said it will set new requirements for all laptops used by contractors and those issued to hospital personnel to help protect data.

Still it could have been worse. Much worse.

Just days after Howard University contacted its patients about the stolen laptop, the Utah Department of Health announced that hackers based in Eastern Europe had broken into one of its servers and stolen personal medical information for almost 800,000 people -- more than one of every four residents of the state.

How many trucks (and Stargate SG-1 style invisibility cloaks) would it take to inconspicuously steal 800,000 paper charts, I ask?

And last November, TRICARE, which handles health insurance for the military, announced that a trove of its backup computer tapes had been stolen from one of its contractors in Virginia. The tapes contained names, Social Security numbers, home addresses and, in some cases, clinical notes and lab test results for nearly 5 million patients, making it the largest medical data breach since the Department of Health and Human Services began tracking incidents two and a half years ago.

Five million charts in a country of 300 million people...

As recently as five years ago, it's possible no one outside Howard University would have known about the incidents there. But, new reporting rules adopted as part of the 2009 stimulus act insure the public knows far more about medical data breaches than in the past. When a breach occurs that affects 500 or more patients, health care providers now must notify not only HHS, but also the media.

Meaning there were breaches the public does not know about.

Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, a Washington-based Internet advocacy group, said the number of incidents is growing with the increased use of digital health records. The health care industry, she added, has been slow to respond.

A problem is not enough "motivation."

"Many financial companies have used encryption for years and they probably wonder what the heck is going on with the health care industry," McGraw said. "It's much cheaper to deploy safeguards than to suffer a breach."

I offer a one word answer:  complacency.

Now for the "spin control":

This growing problem puts HHS in a tough spot. It is pushing hospitals and doctors to adopt electronic health records, but it's also responsible for punishing health care providers who fail to properly secure their patients' records.

"Mistakes happen, incidents happen, corners get cut from time to time," said Susan McAndrew, deputy director for health information policy at HHS's Office of Civil Rights. "That's where we come in."

"From time to time" is a rather modest description of the millions of breaches mentioned in just this posting.

 But as I've written before, don't worry, your records are safe.

Just don't tell the doctor about that "incident" at that seedy club the other night, and find some other excuse to get the antibiotics you need, and that information will be safe, too.

-- SS