N.S.A. Able to Foil Basic Safeguards of Privacy on Web, Including Medical Records - Yet Another Reason To Be Concerned About What You Tell Your Physician

There's already a major issue with privacy and protection of medical records in electronic form.  See the multiple blog posts at this query link:  http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy

Now this from the New York Times:

N.S.A. Able to Foil Basic Safeguards of Privacy on Web
By NICOLE PERLROTH, JEFF LARSON and SCOTT SHANE
September 5, 2013

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.  

But don't worry, your electronic medical records are secure, and will NEVER be used for political purposes by your adversaries...

Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth. 

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

At least we may have gotten faster PC's as a side result of the research that supported these efforts.

... the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL; virtual private networks, or VPNs; and the protection used on fourth-generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network. 

Might as well just send them a copy of all your communications to spare them the effort...

... Ladar Levison, the founder of Lavabit, wrote a public letter to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”

Hey, how about let's ALL have our medical records stored by health IT companies providing ASP (Application service provider, http://en.wikipedia.org/wiki/Application_service_provider) offsite EHR hosting services to hospitals and clinics...

From the site "techdirt.com":

Allegedly the NSA and GCHQ (UK Government Communications Headquarters) have basically gotten backdoors into various key security offerings used online, in part by controlling the standards efforts, and in part by sometimes covertly introducing security vulnerabilities into various products. They haven't "cracked" encryption standards, but rather just found a different way in. The full report is worth reading ... (http://www.techdirt.com/articles/20130905/12295324417/nsa-gchq-covertly-took-over-security-standards-recruited-telco-employees-to-insert-backdoors.shtml).

Half facetiously: unless you're a real nobody, if you, say, contracted V.D. from that sexy prostitute at that Vegas Convention, you perhaps better not tell your doctor about it.

Maybe this is what it will take to get the government to start taking electronic medical record privacy, confidentiality and security more seriously.

Our legislators, like everyone else, have a stake in the game.

-- SS

Calling Dr. Moe, Dr. Larry and Dr. Curly: Advocate Medical Breach of Four Million Patient Records, and No Encryption

At my Oct. 2011 post "Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure" (http://hcrenewal.blogspot.com/2011/10/still-more-ehr-chaos-pandemonium-bedlam.html) I thought I'd seen the worst.

Yet another post to add to the category of medical record privacy/confidentiality/security (http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy), however:

Advocate Medical Breach: No Encryption?
Computer Theft Raises Questions About Unencrypted Devices
By Marianne Kolbasuk McGee, August 27, 2013.

The recent theft of four unencrypted desktop computers from a Chicago area physician group practice may result in the second biggest healthcare breach ever reported to federal regulators. But the bigger issue is: Why do breaches involving unencrypted computer devices still occur?

According to the Department of Health and Human Services' "wall of shame" website listing 646 breaches impacting 500 or more individuals since September 2009, more than half of the incidents involved lost or stolen unencrypted devices. Incidents involving data secured by encryption do not have to be reported to HHS.

... The four unencrypted but password-protected computers [passwords on PC's are bypassable by smart teenagers - ed.] stolen during a burglary in July from an office of Advocate Medical Group in Illinois may have exposed information of about 4 million patients, according to an Advocate spokesman.

4 million is about 1.3 percent of the entire U.S. population (about 313.9 million in 2012) ... on just four desktop computers.

Try that with paper ...

As to the subtitle of the article, "Computer Theft Raises Questions About Unencrypted Devices", I've written on that issue before.  I'd noted questions like that are remarkable considering both MacOS and Windows have built-in, readily available encryption, the latter for a few extra $ for the "deluxe version" (see  http://en.wikipedia.org/wiki/FileVault and http://en.wikipedia.org/wiki/Bitlocker).  

Perhaps the best explanation in 2013 for unencrypted desktop PC's containing millions of confidential medical records is this picture, symbolic of the apparent attitudes of corporate and IT management on health IT security:

Encryption?  We don't need no encryption.  We got triple protection already!

-- SS

But don't worry, your EHR information is secure

My last reminder of this issue was almost a half-year ago, but I think a repeat is in order.

More bugs squashed:

Microsoft fixes critical Windows, IE flaws for Patch Tuesday

Microsoft has released four critical security updates for Windows and Internet Explorer, along with a bevy of other products, in order to protect against at least 19 vulnerabilities identified in its software.

On deck this month, there are four "critical" vulnerabilities that affect Windows, Internet Explorer, Office, and Windows Server, including one for Silverlight that affects both Windows and Mac machines.

The most severe Internet Explorer flaw affected all versions of Windows XP (Service Pack 3) and above, including Vista, Windows 7, and Windows 8 — including tablets running Windows RT — running Internet Explorer 6 and above. The flaw could have allowed a hacker to access the vulnerable system with the same user rights.

... The other vulnerabilities rated as "important" could allow data and information disclosure, or an elevation of privileges on affected machines. These affect SharePoint, OneNote, Outlook for Mac, and kernel-mode drivers in Windows-based machines.

I note that Windows XP is now more than a decade old, but Windows RT is brand-spanking new.

In a Nov. 2012 post somewhat vexatiously entitled "Why It's Crazy to Want Your Most Confidential Information Put into An Electronic Medical Records System" about Windows 8 flaws, I had indicated how common Microsoft products were in hospital IT.

I stand by that vexatious title.

But don't worry, your confidential medical information is secure, and your safety against malfunctioning IT that loses your critical medical information after hackers invade is assured, in our current rushed national health IT rollout.

What is the answer?  Until this technology has significantly been secured and debugged, this old triad applies:

• If you want your information secure, don't put it on a computer.
• If you must put it on a computer but still want some degree of security, don't put the computer on a network.
• If you must put the computer on a network, especially a network connected to the Internet, your information is no longer secure. 

It's premature in my view to be building and operationalizing national health records networks.  Unless, that is, patient information privacy, security and confidentiality are secondary considerations.

(In my view, they are seen by the national IT builders and promoters as secondary considerations, but the builders and promoters will never admit it, perhaps even to themselves.)

-- SS