TOPICS

COLUMNS

LISTINGS

2001 LISTINGS

HELP

PARTNER LINKS

TECHNOLOGY

Security breach: Hacker gets medical records

A computer break-in at the University of Washington puts the spotlight on the privacy of medical records. But many say paper records are even less secure.

By Tyler Chin, amednews staff. Jan. 29, 2001.

The University of Washington Medical Center, after some prodding, acknowledged that a hacker had infiltrated its computer system last year, stealing confidential records of thousands of patients.

While not minimizing the seriousness of the security breach, some physicians said their peers should not let the incident -- or the risk of hackers in general -- deter them from using electronic medical records. They say the benefits of using electronic systems to improve care and practice efficiency outweigh the security risks.

Protecting your paper records
Protecting your electronic records
Links

"In no way do I want to minimize what happened," said Richard W. Whitten, MD, an internist in Bellevue, Wash. Dr. Whitten works for the University of Washington Physician Network, a multispecialty group affiliated with the University of Washington Medical Center.

"It's extremely serious, but on the other hand we must look at how to take care of people better, and the electronic medical record is the way to go," he said.

Forgotten in the glare of publicity following last month's disclosure of the computer break-in at the medical center is that the state of security surrounding paper-based records leaves those records just as vulnerable as, if not more so than, electronic records, say physicians and privacy experts.

"We shouldn't fool ourselves about how secure medical records are," said Samuel W. Cullison, MD, a family physician and director of Providence Family Medicine, a Seattle-based family practice program affiliated with the University of Washington Medical Center. "Only an extremely naïve person believes that paper records are secure."

He and Dr. Whitten said their patients were not affected by the computer intrusion.

The intrusion at the University of Washington Medical Center was first reported on Dec. 6, 2000, by SecurityFocus.com, a Web site devoted to security issues.

The academic teaching hospital initially disputed the report as "completely inaccurate." It acknowledged that it had detected and stopped an attempt to hack into its system last summer. It denied that the hacker had gained control of its network and said it had no evidence that any records had been stolen.

But the center changed its account the next day after Seattle journalists got samples of the stolen records and presented them to the medical center for verification.

After verifying that the samples were authentic, the medical center acknowledged its computer network had been infiltrated.

The hacker gained access to administrative databases containing records of at least 5,000 cardiology and rehabilitation medicine patients, said Tom Martin, the medical center's chief information officer.

The provider uses the databases to track patients and provide quality assurance, Martin said. The records that the hacker downloaded included the names, addresses and Social Security numbers of patients along with medical procedures they had undergone.

The hacker gained access to the databases over the Internet by using a "sniffer" program, which enabled him to capture an ID and password from an authorized user, Martin said. He acknowledges that the databases were not secure; there were no firewalls separating them from the Internet, and user IDs and passwords were not encrypted.

The medical center has bolstered security for the databases and is reviewing its security procedures and systems, Martin said.

The University of Washington also is notifying the affected patients in writing and is cooperating with federal law enforcement authorities. It emphasized that it has no evidence that anyone has breached its main electronic medical records system.

A 25-year-old Dutch hacker identifying himself as "Kane" took credit for the intrusion, which occurred last June or July. He shared his exploits with SecurityFocus.com to show how vulnerable electronic health records are.

Kane, who said he did not alter any record, told the site he saw his action as a "renegade public service." He also told SecurityFocus that he had penetrated an unidentified medical center in New York and another in Holland, but did not gain significant access to their systems.

Electronic records still encouraged

As serious as the security breach is, Dr. Cullison still encourages physicians to adopt electronic medical records. "Though I don't use an electronic medical record, I'm one of those physicians who believes that the future of health care is with the electronic medical record because of all the benefits that can accrue to the patient and [physician efficiency]," he said.

Any computer system is vulnerable to hackers with the technical skill and determination to break into it, Dr. Cullison said. Even groups that have state-of-the-art computer security, including Microsoft Corp. and the Pentagon, have been victimized recently, he said.

Dr. Whitten agreed. Since his group began using the electronic medical records information system owned by the University of Washington Medical Center in 1997, he has seen a dramatic improvement in clinical documentation, quality of care and office efficiency.

For example, when he enters orders online, the system checks for adverse drug events, Dr. Whitten said. "Having watched what happens to [paper] medical records in my office before, the computer system generally seems to be vastly superior for patient protection."

Another benefit of electronic records is that they, unlike paper records, don't get lost or misplaced, he said.

Not the first time

Privacy observers said the break-in at the University of Washington may be one of the few times such an incident has become publicly known. But it is unlikely that it was the first time a hacker had gained unauthorized access to medical records.

Computer intrusions probably occur more often than is known because victims don't publicly acknowledge them, said Robert Gellman, a Washington, D.C., privacy and information policy consultant.

When electronic intrusions become known, they receive much publicity. But what many people may not realize is that the number of violations of medical privacy resulting from hacking is lower than that committed by insiders, including clerks and administrative staff, Gellman said. In part, that's because so many people have access to records inside a physician's office or hospital, he said.

Another reason is that the medical community simply hasn't paid attention to protecting the security of medical records regardless of their format, Gellman contends. "When I talk to medical records people, they say, 'Yes, [privacy] is a serious problem but we're not going to do anything about it until you put a gun to our heads,' " Gellman said. "The gun is HIPAA."

The Health Insurance Portability and Accountability Act of 1996 requires providers, claims clearinghouses and health plans to implement administrative and technical steps to protect the confidentiality of electronic health records.

But in December 2000, the Clinton administration released a final privacy rule extending the requirement to cover all medical records, including paper records and oral communications involving identifiable patient data. The rule, which sprang from HIPAA, will take effect in two years.

Assessing the security risk

Paper-based and electronic records have different benefits and risks from a security perspective, said Gerald Masson, PhD, interim director of the Johns Hopkins University Information Security Institute and chair of the university's computer science department. For example, only one person at any given time can see a paper record, while an electronic medical record can be viewed simultaneously by many.

Another key difference is that if someone breaks through the security surrounding an electronic system, he or she can make unlimited copies of a document or distribute it by posting it on the Internet, Dr. Masson said. Opportunities to widely copy and distribute paper-based records are more limited, he added.

Dr. Masson said electronic records are more secure than paper records if proper steps are taken, including public key encryption technology. Such technology assures the sender that only the intended recipient would have the "key" to decrypt the data, he said. A hacker could try to find the key, but it would require a tremendous amount of time and computing power.

To protect computers from hackers, Dr. Masson recommends that physicians use the latest version of encryption software to keep pace with new security threats and computing power. Physicians also should be vigilant about security and privacy of any medical record. "There's no such thing as a totally secure document if it's available to authorized users," he said.

Other computer experts said doctors who have broadband or high-speed connections to the Internet should install firewall software that helps watch for intrusions. Doctors using broadband are vulnerable to hackers because the always-on connection means the computer has a fixed Internet protocol address, which identifies the sender and user of information through the Internet.

With a standard dial-up modem connection, the risk of a hacker getting into a doctor's computer system is minimal, because he or she is on the Internet for short periods of time. Each time a doctor logs on, a different IP address is assigned to that computer, which makes it less vulnerable.

ADDITIONAL INFORMATION:

Protecting your paper records

Assess your environment and develop security and privacy policies.
Educate employees as soon as they are hired about the importance of protecting patient privacy and confidentiality.
Emphasize that patient files are not to be left lying around the office where someone walking by can easily view them.
Use a number-based filing system instead of patients' names.
Safeguard or lock the medical records area.
Restrict access to authorized personnel.
Don't let records be taken from the office unless they are subpoenaed or by court order. In such cases, make sure the records in question are accompanied by staff.
Always ask why someone is requesting a record. Access should be granted based on a person's job duties and need to know.
Seek patient authorization whenever copies of patient records are given out as required under the law.
Do not fax documents except under urgent circumstances.
Keep a log of when a record is checked out and by whom.
When recycling or disposing of medical records, set them aside in a secure bin for secure disposal; this could include shredding them or retaining a firm to incinerate them.

Source: American Health Information Management Assn.

Protecting your electronic records

Comply with the guidelines and requirements for the privacy, security and confidentiality of medical records as required by the Health Insurance Portability and Accountability Act of 1996.
Assess your environment and develop security and privacy policies.
Educate employees as soon as they are hired about the importance of protecting patient privacy and confidentiality.
Be careful about displaying patient data on the screen of an unattended computer monitor.
Keep computers away from public view and access.
Use screen savers.
Use encryption.
Periodically change user IDs and passwords.
Do not share your user ID and password with others and do not write them down.
Revoke IDs and passwords as soon as authorized users resign or are fired.
Safeguard or lock the medical records area.
Use audit trails to track when a record is accessed and by whom.
Install firewall software.

Sources: Johns Hopkins University Information Security Institute; American Health Information Management Assn.

Privacy gap at California's Health Net blamed on human error

Health Net of California has confirmed that a computer programming error led the health insurer to mail sensitive patient data to the wrong people. The incident highlights the fact that breaches of medical privacy can occur as a result of human error as well as deliberate efforts by hackers to break into the computer systems of health care entities.

Woodland Hills, Calif.-based Health Net, which insures about 2.2 million people, last month mailed a packet of information, including a list of names of patients being treated for depression with associated anxiety, to nearly 5,000 physicians. The problem is that each doctor who received the packet got another doctor's patient list because a computer programming error incorrectly matched names of patients and doctors, said Brad Kieffer, a spokesman for Health Net.

Health Net discovered the mistake when two physicians alerted the health insurer that they had received inaccurate lists, Kieffer said. Health Net then wrote letters to physicians, asking them to destroy the lists. The error affected about 12,000 patients.

Although doctors got patient data they should not have seen, Health Net argues that patient privacy was not violated because, of all the people who could have gotten the wrong information, physicians would be the least likely to disseminate or misuse the data.

To ensure that it will not repeat its mistake, Health Net "bolstered quality assurance oversight for these kinds of projects" of which the mailing is part, Kieffer said. The mailing, which included treatment guidelines from a federal agency, was part of a common industry practice in which insurers provide information to physicians to improve care, he said.

This is not the first time human error has resulted in a violation of patient privacy. Last summer, Kaiser Permanente, Oakland, Calif., accidentally violated the privacy of hundreds of members when it e-mailed to the wrong people private messages containing answers to medical questions and patient names, addresses and phone numbers. Kaiser Permanente blamed a programming error for the errant e-mails.