N.S.A. Able to Foil Basic Safeguards of Privacy on Web, Including Medical Records - Yet Another Reason To Be Concerned About What You Tell Your Physician

There's already a major issue with privacy and protection of medical records in electronic form.  See the multiple blog posts at this query link:  http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy

Now this from the New York Times:

N.S.A. Able to Foil Basic Safeguards of Privacy on Web
By NICOLE PERLROTH, JEFF LARSON and SCOTT SHANE
September 5, 2013

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.  

But don't worry, your electronic medical records are secure, and will NEVER be used for political purposes by your adversaries...

Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth. 

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

At least we may have gotten faster PC's as a side result of the research that supported these efforts.

... the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL; virtual private networks, or VPNs; and the protection used on fourth-generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network. 

Might as well just send them a copy of all your communications to spare them the effort...

... Ladar Levison, the founder of Lavabit, wrote a public letter to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”

Hey, how about let's ALL have our medical records stored by health IT companies providing ASP (Application service provider, http://en.wikipedia.org/wiki/Application_service_provider) offsite EHR hosting services to hospitals and clinics...

From the site "techdirt.com":

Allegedly the NSA and GCHQ (UK Government Communications Headquarters) have basically gotten backdoors into various key security offerings used online, in part by controlling the standards efforts, and in part by sometimes covertly introducing security vulnerabilities into various products. They haven't "cracked" encryption standards, but rather just found a different way in. The full report is worth reading ... (http://www.techdirt.com/articles/20130905/12295324417/nsa-gchq-covertly-took-over-security-standards-recruited-telco-employees-to-insert-backdoors.shtml).

Half facetiously: unless you're a real nobody, if you, say, contracted V.D. from that sexy prostitute at that Vegas Convention, you perhaps better not tell your doctor about it.

Maybe this is what it will take to get the government to start taking electronic medical record privacy, confidentiality and security more seriously.

Our legislators, like everyone else, have a stake in the game.

-- SS

Calling Dr. Moe, Dr. Larry and Dr. Curly: Advocate Medical Breach of Four Million Patient Records, and No Encryption

At my Oct. 2011 post "Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure" (http://hcrenewal.blogspot.com/2011/10/still-more-ehr-chaos-pandemonium-bedlam.html) I thought I'd seen the worst.

Yet another post to add to the category of medical record privacy/confidentiality/security (http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy), however:

Advocate Medical Breach: No Encryption?
Computer Theft Raises Questions About Unencrypted Devices
By Marianne Kolbasuk McGee, August 27, 2013.

The recent theft of four unencrypted desktop computers from a Chicago area physician group practice may result in the second biggest healthcare breach ever reported to federal regulators. But the bigger issue is: Why do breaches involving unencrypted computer devices still occur?

According to the Department of Health and Human Services' "wall of shame" website listing 646 breaches impacting 500 or more individuals since September 2009, more than half of the incidents involved lost or stolen unencrypted devices. Incidents involving data secured by encryption do not have to be reported to HHS.

... The four unencrypted but password-protected computers [passwords on PC's are bypassable by smart teenagers - ed.] stolen during a burglary in July from an office of Advocate Medical Group in Illinois may have exposed information of about 4 million patients, according to an Advocate spokesman.

4 million is about 1.3 percent of the entire U.S. population (about 313.9 million in 2012) ... on just four desktop computers.

Try that with paper ...

As to the subtitle of the article, "Computer Theft Raises Questions About Unencrypted Devices", I've written on that issue before.  I'd noted questions like that are remarkable considering both MacOS and Windows have built-in, readily available encryption, the latter for a few extra $ for the "deluxe version" (see  http://en.wikipedia.org/wiki/FileVault and http://en.wikipedia.org/wiki/Bitlocker).  

Perhaps the best explanation in 2013 for unencrypted desktop PC's containing millions of confidential medical records is this picture, symbolic of the apparent attitudes of corporate and IT management on health IT security:

Encryption?  We don't need no encryption.  We got triple protection already!

-- SS

Kim Kardashian, Meet Electronic Medical Records

In yet another example of breach of medical record privacy (http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy), Kim Kardashian's privacy on the birth of her daughter, as well as the privacy of more than a dozen other patients, was violated between June 18 and June 24:
 

Workers fired in privacy breach at L.A. hospital popular with stars

LOS ANGELES | Sat Jul 13, 2013

(Reuters) - Five medical workers have been fired over a patient data breach at Cedars-Sinai Medical Center, the Los Angeles facility said in a statement, while celebrity website TMZ reported on Saturday that the hacking effort targeted reality star Kim Kardashian.
Cedars-Sinai, a favorite destination for celebrities seeking medical care, said in the statement it has a "high standard for security" and "in this case that standard was violated."  [How do ordinary hospital workers, medical assistants, and even a volunteer as below violate a "high standard for security", I wonder? - ed.]

Kardashian, the star of the reality television show "Keeping Up With the Kardashians," gave birth on June 15 at Cedars-Sinai to daughter North West, whose father is Grammy-winning rap star Kanye West.

Cedars-Sinai officials declined to say whose privacy had been breached, but the hospital said it "informed the affected patients" and apologized to them.

The breach of 14 patient records occurred between June 18 and June 24, the hospital statement said.

TMZ reported that Kardashian checked out of Cedars-Sinai about a week after she gave birth and was contacted by the hospital and told she was one of the patients whose records were accessed.

TMZ, which cited unnamed sources, said Kardashian's family suspected a leak of information at Cedars-Sinai after media reports disclosed details Kardashian had not revealed to anyone.

Representatives for Kardashian did not return calls or emails seeking comment on Saturday.

The Cedars-Sinai statement said four of the workers who inappropriately logged onto the hospital's information system to access patient records were employees of local physicians with staff privileges at the hospital.

The other workers were a medical assistant employed by the Cedars-Sinai Medical Care Foundation and a student research assistant who was a volunteer, the hospital said. As a result of the privacy breach, the five medical workers with ties to Cedars-Sinai were fired and the volunteer barred from working there, it said.

Cedars-Sinai said that while it had no indication "any criminal acts were committed by the individuals" it was reaching out to law enforcement agencies in "an abundance of caution."

It looks like the "high standard for security" needs some work.

(A paper chart could have been sequestered, of course, not permitting its access by riff raff, but then there would not be all the tremendous advantages of today's commercial EHRs such as detailed at http://hcrenewal.blogspot.com/2013/07/rns-say-sutters-new-electronic-system.html.)

-- SS

IRS faces class action lawsuit over theft of 60 million medical records

Try this with paper records.  This is spectacular (as in, spectacularly alarming) if true:

IRS faces class action lawsuit over theft of 60 million medical records

The Internal Revenue Services is now facing a class action lawsuit over allegations that it improperly accessed and stole the health records of some 10 million Americans, including medical records of all California state judges.

According to a report by Courthousenews.com, an unnamed HIPAA-covered entity in California is suing the IRS, alleging that some 60 million medical records from 10 million patients were stolen by 15 IRS agents. The personal health information seized on March 11, 2011, included psychological counseling, gynecological counseling, sexual/drug treatment and other medical treatment data.

"This is an action involving the corruption and abuse of power by several Internal Revenue Service agents," the complaint reads. "No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records," it continued.   According to the case, the IRS agents had a search warrant for financial data pertaining to a former employee of the John Doe company, however, "it did not authorize any seizure of any healthcare or medical record of any persons, least of all third parties completely unrelated to the matter," the complaint read.

The class action lawsuit against the IRS seeks $25,000 in compensatory damages "per violation per individual" in addition to punitive damages for constitutional violations.  Thus, compensatory damages could start at a minimum of $250 billion.

According to the linked Courthousenews.com piece, the class is represented by attorney Robert E. Barnes of Malibu, California.   The Complaint is reported to state that the IRS' data theft was so enormous it affects "roughly one out of every twenty-five adult American citizens."

If a government agency decides to steal medical records, I'd rather the records be on paper than electronic. I think it's inarguable that it is a lot harder for 15 people to haul 60,000,000 paper charts away than a few hard disks.

Mass theft of records must be factored into the risk/benefit ratio of electronic health records.  See other posts on this topic at the label index terms below.

Addendum:  the Complaint is here (PDF).

-- SS

But don't worry, your EHR information is secure

My last reminder of this issue was almost a half-year ago, but I think a repeat is in order.

More bugs squashed:

Microsoft fixes critical Windows, IE flaws for Patch Tuesday

Microsoft has released four critical security updates for Windows and Internet Explorer, along with a bevy of other products, in order to protect against at least 19 vulnerabilities identified in its software.

On deck this month, there are four "critical" vulnerabilities that affect Windows, Internet Explorer, Office, and Windows Server, including one for Silverlight that affects both Windows and Mac machines.

The most severe Internet Explorer flaw affected all versions of Windows XP (Service Pack 3) and above, including Vista, Windows 7, and Windows 8 — including tablets running Windows RT — running Internet Explorer 6 and above. The flaw could have allowed a hacker to access the vulnerable system with the same user rights.

... The other vulnerabilities rated as "important" could allow data and information disclosure, or an elevation of privileges on affected machines. These affect SharePoint, OneNote, Outlook for Mac, and kernel-mode drivers in Windows-based machines.

I note that Windows XP is now more than a decade old, but Windows RT is brand-spanking new.

In a Nov. 2012 post somewhat vexatiously entitled "Why It's Crazy to Want Your Most Confidential Information Put into An Electronic Medical Records System" about Windows 8 flaws, I had indicated how common Microsoft products were in hospital IT.

I stand by that vexatious title.

But don't worry, your confidential medical information is secure, and your safety against malfunctioning IT that loses your critical medical information after hackers invade is assured, in our current rushed national health IT rollout.

What is the answer?  Until this technology has significantly been secured and debugged, this old triad applies:

• If you want your information secure, don't put it on a computer.
• If you must put it on a computer but still want some degree of security, don't put the computer on a network.
• If you must put the computer on a network, especially a network connected to the Internet, your information is no longer secure. 

It's premature in my view to be building and operationalizing national health records networks.  Unless, that is, patient information privacy, security and confidentiality are secondary considerations.

(In my view, they are seen by the national IT builders and promoters as secondary considerations, but the builders and promoters will never admit it, perhaps even to themselves.)

-- SS