Kaiser Had Malware on Server for 2.5 Years

By Joseph Goedert | April 8, 2014 | HealthData Management

The Northern California division of Kaiser Permanente is notifying about 5,100 patients that protected health information was on a server found in February 2014 to be infected with malicious software.

In a letter to patients, the organization says it believes the server was infected in October 2011. Kaiser removed the server–used to store research data–and confirmed other servers were not affected and appropriately secured. “We currently have no information that any unauthorized person accessed the information on the server,” according to the patient letter. “However, the malicious software broke down the server’s security barriers so we are investigating and responding with a very high level of caution and concern. We are very sorry that this happened.”

Information on the server included patient name, date of birth and gender, and also may have included address, race-ethnicity, medical record number, lab results associated with research, and patient responses to questions related to research studies in which they participated. Social Security numbers and data from Kaiser’s electronic health record were not held on the server.

(See also: Top 6 Threats to Enterprise Security)

The new breach soon will be listed on the HHS Office for Civil Rights’ website of major security breaches affecting 500 or more individuals, and it will be Kaiser’s fourth posting on the site.

In late 2013, a missing flash drive from the nuclear medicine department at Anaheim Medical Center resulted in notifications sent to about 49,000 patients. Also in 2013, Kaiser notified 647 patients after learning of unauthorized access/disclosure of the EHR. In late 2009, the organization notified about 15,500 patients following the theft of an electronic portal device.

 

 

 

Re: Invasion of the Data Snatchers

Bill Keller’s NYTimes op-ed, “Invasion of the Data Snatchers,” is a fantastic piece on the hazy lines surrounding individual privacy in our new “surveillance economy.” Looking critically at The Journal News’ decision to publish the names and addresses of handgun permit holders in two nearby counties, as well as other instances in which people’s personal information is publicly shared, he asks a critical question: “What is the boundary between a public service and an invasion of privacy?” He then goes on to discuss the erosion of privacy and the challenges we face in determining “what information is worth defending and how to defend it.”

As the article says, “You can take your pick of the ways Facebook and Google are monetizing you by serving up your personal profile and browsing habits to advertisers for profit. Some of this feels harmless, or even useful — why shouldn’t my mobile device serve me ads tailored to my interests? But some of it is flat-out creepy. One of the more obnoxious trends is the custom-targeting of that irresistibly vulnerable market, our children.” Keller makes a good point—with so many different entities vying for a piece of your data, how can you know where to begin fighting back? And, it can be so overwhelming to think about the dirty underbelly of data sharing that it’s easier to say it’s no big deal in the long run, especially if you feel like you’re benefiting from it now.

For PPR, the bottom line is this: the erosion of our individual privacy is a critical issue. While some may be quick to dismiss such concerns, we have to remember that what we do now to protect our fundamental right to privacy matters. It matters to us in the present day and it matters to the futures of our children, our grandchildren, and so on…

Yes, there can be great benefits to the unparalleled connectivity and access people have to information in the rapidly shifting landscape of the digital era. At the same time, we have to make sure we establish clear boundaries and give people a say in the ways in which their information is accessed and used, particularly when it comes to sensitive data, like our personal health information. However, as Keller points out, protection of our privacy “doesn’t happen if we don’t demand it.”

This year, PPR will address a similar topic at its 3rd International Summit on the Future of Health Privacy: The Value of Health Data vs. Privacy — How Can the Conflict Be Resolved? We urge you to join us to be a part of the important conversations that will take place as we look at how our health information is valued, who has access to it, and what we can do to protect our privacy in an increasingly connected world.

Health IT group drafts privacy recommendations

A federally chartered advisory work group charged in June with devising recommendations on privacy and security policies to support the government’s electronic health-record system subsidy program presented today its near-final list of guidelines to the Health Information Technology Policy Committee.

The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS…

According to the tiger team’s draft document posted on the HIT Policy Committee’s website, the team’s recommendations are based on “fair information practices,” a now globally accepted set of privacy policy guidelines that stems from a 1973 report by the U.S. Department of Health, Education and Welfare.

“All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information,” according to the tiger team proposal.

Problems with IBM’s new “massive” research study

Healthcare IT News released an article about IBMs new research project: IBM launches massive health data research project

IBM plans to bring together personal data on individuals far beyond what is available in the health care system – including environmental and financial data on individuals — to “pinpoint incentives governments and businesses might offer” to patients to improve health. The plan is to first study childhood obesity.

The problem is IBM’s research project does not appear to start with obtaining informed consent from the individuals (or their parents) whose data will be collected and studied.

There is no mention of the legal or ethical authority or basis that permits IBM corporation to collect, analyze, and do research on so much sensitive personal information on individual children, in order to decide which “actions” to incentivize to improve a particular child’s health.

Yet, IBM’s research aims to help doctors treating specific individual patients: “all these complex issues need to meld into a single thread of conversation as I talk to my patient.”

The story mentions numerous groups IBM is working with, but it appears that no consumer, patient, child, or privacy advocacy organizations are “partners” in this massive research project.

More Quotes:
• project will combine and analyze massive data sources that have never before been integrated to simulate the cause-and-effect relationships between agriculture, transportation, city planning, eating and exercise habits, socio-economic status, family life, and more
• project could help pinpoint incentives governments and businesses might offer or what types of investments might be needed and how to prioritize them • it’s been impossible to understand and to quantify precisely how each factor in our environment plays a role
• IBM researchers said they will partner with public policy and food experts, medical clinicians, economists, simulation experts, industry leaders, universities and others in this collaborative endeavor
• In many cases, the data and models exist. They just need to be put together in a consumable way that shows the wider connections and potential actions that can enhance individual and community health,” said Paul Maglio, an IBM researcher.

IBM launches massive health data research project

SAN JOSE, CA – IBM has announced it has launched a multi-year research project to connect and analyze enormous collections of data from a wide variety of sources to find ways to improve health. The project will initially focus on childhood obesity.

The IBM Research project will combine and analyze massive data sources that have never before been integrated to simulate the cause-and-effect relationships between agriculture, transportation, city planning, eating and exercise habits, socio-economic status, family life, and more, researchers said.

How to reconcile Kaiser’s statements about who can access patient data

Two reports of how Kaiser Permanente approaches security left this blogger scratching her head last week as the reports might seem to contradict each other. And because the VA Watchdog had the same questions I have, I decided to follow-up.

On February 28, and as reported by Health Data Management, Eric Liederman, M.D, director of medical informatics at Kaiser Permanente’s Northern California division, described the security approach this way during the Physicians Symposium at the HIMSS 2010 Conference & Exhibition in Atlanta:

Open Source Research

See the Government Health IT article: NCI to open research grid to cancer patient ‘army’

Women desperate to cure breast cancer are contributing their sensitive personal health information to “an army” of researchers.

But there is no reason that these altruistic women have to risk their futures and their daughters’ futures to find a cure.

It’s possible to do research without risking their futures and their daughters’ and granddaughters’ futures by using privacy-protective technologies and robust informed electronic consent. But this project does NOT protect the privacy of these generous and well-intentioned women.

The women’s data can be downloaded by “thousands of users”–all of whom make copies of their extremely sensitive, IDENTIFIABLE records. The records are identifiable so that the women can be contacted by researchers.

Some of the major things wrong with this picture:
1) The NCI system allows “researchers (to) form and maintain large breast cancer disease databases.” Is there any way to tell if the security is ironclad, state-of-the-art? No.
2) How many copies will researchers make? How many times will the data be replicated and backed-up across the world? No way to know.
3) What countries will copies of the records be kept in? No way to know.
4) How many and which researchers will download and keep their data? No way to know.
5) The researchers must sign agreements to protect and not sell the data, but there are no ‘data police’ to enforce those agreements. If there are no ‘data police’ watching this data, how do the women know it’s safe? No way to know.
6) What if a woman does not approve of a particular study or researcher who has their data? Can a woman prevent any researcher from using her information? No.
7) How will the data be handled after the research study is complete? How will the women know if it is destroyed? No way to know.
8) How safe is research access via a web browser? No way to know

The severe flaws in this plan are obvious. Fearful women desperate for cures are being exploited by the government and the research industry that designed these systems to serve their needs, NOT the women’s rights to privacy. Putting such sensitive data out into cyberspace KNOWING it can never be retrieved or destroyed is grossly irresponsible. Like Paris Hilton’s sex video, this data will live forever in cyberspace, risking future jobs and opportunities of every child of every woman desperate for a cure.

The NCI could do this a better way—we can have research and privacy at the same time. But the privacy protective technologies that can enable both are not being used. Why not?????

See our testimony Sept 18th at the national HIT Policy Committee and the many letters from the Coalition for Patient Privacy to federal agencies and Congress describing how to do research while protecting privacy.

And NO–the Genetic Information Nondiscrimination Act (GINA) DOES NOT protect our genetic data. It allows insurers and employers to have our genetic data and it has no enforcement. Zero. And HIPAA has no protections for genetic data either–it allows others to control and use our data without consent.

The cost of contributing to research should not be that your female descendents are unemployable. Unless data is protected, we will have generations of people who cannot work because employers will not risk hiring anyone at risk of getting a disease.

De-identified? Yeah, right.

See these articles:
Netflix Contest Seen As Posing Privacy Risk
Netflix is about to commit a privacy Valdez with its customers’ viewing data
AOL, Netflix and the end of open access to research data

Once again Netflix plans to violate the privacy of those who rate the movies they rent. Two University of Texas computer scientists demonstrated that the Netflix database of 500,000 with movie ratings could be re-identified, revealing sensitive political and sexual preferences of the actual people who rated movies. Netflix did not get the consent of renters to expose their ratings to the public or ot researchers.

Yet Netflix is moving ahead to release even MORE personal data for its next million-dollar contest. The major media (NYT’s STeve Lohr for example) has NOT reported at all on how Netflix is violating movie renters’ privacy, but instead trumpets the prizes paid to those who develop more accurate ways to predict which movies you will want to watch next.

The problem of re-identification is VERY serious for the healthcare system because health data is impossible to de-identify. It is so rich in detail that de-identification is almost impossible.

Today, the treasure trove of all Americans’ sensitive health data is being endlessly used and disclosed without informed consent to millions of “covered entities” and “business associates” (and their millions of employees)–subjecting EVERY American to the theft, sale, and misuse of the most sensitive personal information that exists.

Who will hire you knowing all about your prescriptions, illnesses and genes?

Security and Hacking, Real Fears

See the WSJ Article: New Epidemic Fears: Hackers

Securing health records in small doctor’s offices and clinics is not easy: small offices can’t afford Fort-Knox style data protection measures, like hiring security experts to make sure hackers aren’t getting into their systems. Even if electronic health records software includes encryption and other security features doesn’t mean those features will be turned on and used.

• Now, many privacy advocates are concerned the administration’s effort could end up making health information less secure. “If there isn’t a concerted effort to acknowledge that the security risks are very real and very serious then we could end up doing it wrong,” says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University.

• “As more information is shared, it is subjected to the weak-link effect.”

• Mr. Osteen’s efforts to safeguard information won’t be useful if smaller providers he shares it with haven’t made the same kind of security investments.”

On HealthDataRights.org and their Declaration

HealthDataRights.org supports only ACCESS to personal health data–which is a no-brainer and a right Americans have always had. The stimulus bill makes clear that we all have the right to copies of our electronic health records because some providers have make them so hard to get.

But HealthDataRights does NOT support the most critical right of all: the right to CONTROL who can access and use our personal health data in electronic systems. They even claim “privacy” stops data flow and will stop research–which is a lie. Informed consent and control over our own data ensures it’s there when we want it and ONLY for uses or research that we agree with.

HealthDataRights.org is a faux consumer rights organization, as revealed in their FAQs:

• “The organizers of HealthDataRights.org include doctors, researchers, software developers, writers, entrepreneurs, health economists, and many others who share a common goal of greater health data availability.” TO WHOM WILL THE ENTIRE NATION’S DATA BE AVAILABLE? TO THE DATA MINING AND RESEARCH INDUSTRIES THAT WANT OPEN ACCESS TO OUR DATA FOR USES WE HAVE NO CONTROL OVER.

• “Some of us have seen clearly how restrictions on health data and medical records can lead to great pain and suffering—needlessly, in most cases.” MILLIONS OF PATIENTS EVERY YEAR SEE CLEARLY HOW DANGEROUS HEALTHCARE IS WITHOUT PRIVACY AND DELAY OR REFUSE CARE, LEADING TO DEATHS FROM CANCER, PTSD, AND DEPRESSION—COSTING FAR MORE THAN IF TIMELY OR PREVENTIVE CARE WAS PRIVATE.

• “At the same time, we know that too often “privacy” is used as an inappropriate excuse to keep people from gaining access to their own health data and information, which they have every right under HIPAA and most state laws to view and access.” CLAIMING PRIVACY AS AN EXCUSE NOT TO GIVE ACCESS TO PERSONAL HEALTH DATA IS WRONG OF COURSE, BUT WORSE AND FAR MORE DAMAGING IS EXPOSING HEALTH DATA TO THEFT, SALE, AND MISUSE BY MILLIONS OF HEALTH-RELATED BUSINESSES AND ALL GOVERNMENT AGENCIES.

• “Does this Declaration suggest people should have exclusive rights to their data?

“No, we are not suggesting that, although this is a thorny issue. Doctors need accurate information about their patients and are required by law to maintain this information. Labs are required to hold onto their test results for up to seven years. There are also health care organizations that use their patients’ or members’ data to suggest improvements to the care delivered to them, usually with a blanket permission signed by the patient at the initial visit and later forgotten. This is not necessarily a bad thing and may be very beneficial for patients, even though permission is not sought for each particular instance of that use. In addition, aggregated and anonymized, population data obviously is key to learning what is working for whom, what is cost effective for whom, and what is the best way to treat any condition for whom. We are supportive of organizations that are endeavoring to improve public health by learning from population data. An “exclusive right” could be read as contradictory to that. What we do affirm, strongly, is that people do have a right to their own data.”

PATIENTS SHOULD HAVE EXCLUSIVE RIGHTS TO THEIR HEALTH DATA—-EVEN NEWT GINGRICH SAYS AMERICANS SHOULD “OWN” THEIR PERSONAL HEALTH DATA.

THIS IS WHERE THEY STATE THAT THE RIGHT TO PRIVACY—THE BASIS OF THE HIPPOCRATIC OATH AND OUR STRONG EXISTING LEGAL RIGHTS TO PRIVACY—WOULD “BE CONTRADICTORY” TO PUBLIC HEALTH RESEARCH. PUBLIC HEALTH DATA IS COLLECTED BECAUSE OF LAWS THAT WERE DEBATED BEFORE BEING PASSED. BUT FUTURE “POPULATION HEALTH” RESEARCH USING ELECTRONIC HEALTH SYSTEMS WILL TAKE PLACE WITHOUT CONSENT BECAUSE EVERY ELECTRONIC HEALTH RECORD WILL BE “WIRED” FOR DATA MINING WITHOUT PATIENT KNOWLEDGE OR CONSENT. RESEARCH WITHOUT CONSENT VIOLATES MEDICAL ETHICS AND INTERNATIONAL TREATIES.

• Who is funding HealthDataRights.org?

HealthDataRights.org is entirely volunteer and has no funding. Any direct costs are being paid out of pocket by the individuals involved. THE INDIVIDUALS’ NAMES ARE NOT LISTED.

You can see the story on HealthDataRights.org debut at:http://www.localhost:8888/pprold/site/News2?page=NewsArticle&id=9475&news_iv_ctrl=-1