Health-care sector vulnerable to hackers, researchers say

From the Wall Street Journal article by Robert O’Harrow Jr. titled Health-care sector vulnerable to hackers, researchers say

“As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.

Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems.

A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.

“I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.””

Kravis Backs N.Y. Startups Using Apps to Cut Health Costs

The title should have been: “Wall Street trumps the Hippocratic Oath and NY patients’ privacy” or “NY gives technology start-ups free access to millions of New Yorkers sensitive health data without informed consent starting in February”.

Of course we need apps to lower health costs, coordinate care, and help people get well, but apps should be developed using ‘synthetic’ data, not real patient data. Giving away valuable identifiable patient data to app developers is very risky and violates patients legal and ethical rights to health information privacy under state and federal law—each of us has strong rights to decide who can see and use personal health information.

What happens when app developers use, disclose or sell Mayor Bloomberg’s, Governor Cuomo’s, Sec of State Hillary Clinton’s, or Peter Thiel’s electronic health records? Or will access to prominent people’s health records be blocked by the data exchange, while everyone’s else’s future jobs and credit are put at risk by developer access to health data?  Will Bloomberg publish a story about the consequences of this decision by whoever runs the NY health data exchange? Will Bloomberg write about the value, sale, and massive technology-enabled exploitation of health data for discrimination and targeted marketing of drugs, treatments, or for extortion of political or business enemies? Natasha Singer of the NYTimes calls this the ‘surveillance economy’.

The story did not mention ways to develop apps that protect patients’ sensitive information from disclosure to people not directly involved in patient care. The story could have said that the military uses “synthetic” patient data for technology research and app development. They realize that NOT protecting the security and privacy of sensitive data of members of the military and their families creates major national security risks.  The military builds and tests technology and apps on synthetic data; researchers or app developers don’t get access to real, live patient data without tough security clearances and high-level review of those who are granted permission to access data for approved projects that benefit patients. Open access to military health data bases threatens national security. Will open access to New Yorkers’ health data also threaten national security?

NY just started a national and international gold rush to develop blockbuster health apps AND will set off a rush by other states to give away or sell identifiable patient health information in health information exchanges (HIEs) or health information organizations (HIOs)—-by allowing technology developers access to an incredibly large, valuable data base of identifiable patient health information.  Do the developers get the data free—or is NY selling health data? The bipartisan Coalition for Patient Privacy (represents 10.3M people) worked to get a ban on the sale of patient health data into the stimulus bill because the hidden sale of health data is a major industry that enables hidden discrimination in key life opportunities like jobs and credit. Selling patient data for all sorts of uses is a very lucrative industry.

Further, NY patients are being grossly misled: they think they gave consent ONLY for their health data to be exchanged so other health professionals can treat them. Are they informed that dozens of app developers will be able to copy all their personal health data to build technology products they may not want or be interested in starting in February?

Worst of all the consequences of systems that eliminate privacy is: patients to act in ways that risk their health and lives when they know their health information is not private:

  • -600K/year avoid early treatment and diagnosis for cancer because they know their records will not be private
  • -2M/year avoid early treatment and diagnosis for depression for the same reasons
  • -millions/year avoid early treatment and diagnosis of STDs, for the same reason
  • -1/8 hide data, omit or lie to try to keep sensitive information private

More questions:

  • -What proof is there that the app developers comply with the contracts they sign?
  • -Are they audited to prove the identifiable patient data is truly secure and not sold or disclosed to third parties?
  • -What happens when an app developer suffers a privacy breach—most health data today is not secure or encrypted? If the app developers signed Business Associate Agreements at least they would have to report the data breaches.
  • -What happens when many of the app developers can’t sell their products or the businesses go bust? They will sell the patient data they used to develop the apps for cash.
  • -The developers reportedly signed data use agreements “covering federal privacy rules”, which probably means they are required to comply with HIPAA.  But HIPAA allows data holders to disclose and sell patient data to third parties, promoting further hidden uses of personal data that patients will never know about, much less be able to agree to.  Using contracts that do not require external auditing to protect sensitive information and not requiring proof that the developers can be trusted is a bad business practice.

NY has opened Pandora’s box and not even involved the public in an informed debate.

5 Held Over Apps that Stole Smartphone Info

Read the full article at 5 Held Over Apps that Stole Smartphone Info.

In Japan, “free apps had reportedly been downloaded up to 270,000 times” infecting at least “90,000 people’s smartphones” with a virus that stole “10 million pieces of personal information from users’ address books”. Creating viruses is a crime in Japan.

Criminals want valuable contact information. How much more valuable do you think personal health information is?

The value of health data is the reason theft is the #1 cause of health data breaches (See “Top Reasons for HITECH Breaches As of October. 17, 2012″ by Melamedia. Sign up for free monthly breach statistics at: http://melamedia.com/index.php).

In the US, millions of employees of corporations can obtain, use, and sell your health data (See ABC News Investigation showing diabetic records for sale from $14-25/record at: http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986&singlePage=true#.UFKTXVHUF-Y).

Loopholes in HIPAA grant millions of employees of providers, doctors, hospitals, insurers, data clearinghouses, and health technology companies the right to use and sell our electronic health records.  We have no way to know when this happens, it’s part of the hidden US “surveillance economy“.

Tell lawmakers and the next President to require health technology systems that put you in control over who can see, use, and sell your electronic health records—from prescriptions to DNA to diagnoses. 90+% of Americans, both Republicans and Democrats, expect to control access to their sensitive health data.

Do Not Track? Advertisers Say ‘Don’t Tread on Us’

See the full article written by Natasha Singer in the NY Times at Do Not Track? Advertisers Say ‘Don’t Tread on Us’

Americans are all victims of a massive hidden “surveillance economy” that collects and sells every bit of online information about us (and health information is the most valuable of all). This story is about the battle between the US data mining industry and the consumers, patients, and corporations that oppose secret data mining.

“Brendon Lynch, Microsoft’s chief privacy officer, said a recent company study of computer users in the United States and Europe concluded that 75 percent wanted Microsoft to turn on the Do Not Track mechanism. “Consumers want and expect strong privacy protection to be built into Microsoft products and services.”

“The Association of National Advertisers recently attacked Microsoft because Microsoft’s new browser will automatically tell hidden data collectors ‘Do Not Track’ users online.  “Microsoft’s action is wrong. The entire media ecosystem has condemned this action,” the letter said.”

It’s not surprising to see this attack by the data mining industry on Microsoft. There will be many more attacks as the public realizes the harms that are caused by unfettered corporate and government collection of personal information.  Today’s surveillance economy is based on monetizing personal data, selling intimate minute-by-minute profiles of our minds and bodies.

Privacy and Data Management on Mobile Devices

See this link for the entire survey of 1,954 cell phone users (see excerpt below): http://pewinternet.org/~/media//Files/Reports/2012/PIP_MobilePrivacyManagement.pdf

When the public learns about hidden data use and collection on cell phones,  significant numbers of people TURN them OFF:

  • -“57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place”

What will the public do when they realize they CANNOT turn off:

  • -hundreds of software ‘applications’ at hospitals that collect, use, and sell their health information
  • -thousands of EHRs and other health information technologies that collect, use, and sell their health information
  • -health-related websites that collect, use, and sell their health information

Survey uncovers lax attitudes toward BYOD security

To view the full article by Eric Wicklund in mHIMSS, please visit Survey uncovers lax attitudes toward BYOD security.

Ask your doctor about his/her smart phone or iPad: does he/she use it for work, is your data encrypted, can the data on the device be wiped if its lost or stolen?

The number of people who work in healthcare using personal devices like smart phones and Apple products is exploding—but many mobile devices lack the strong data security protections required for health data-like encryption. So if the device is lost or stolen, so is the sensitive information about your mind and body.

Key quotes from the story:

* 51% say their companies don’t have the capability of remotely wiping data from a device if it is stolen or lost

* Less than half had (data security) controls in place for mobile devices

* 84%  of individuals stated they use the same smartphone for personal and work issues.

* 47% reported they have no passcode on their mobile phone.

Senator Al Franken is pressing Congress and the Department of Health and Human Services (HHS) to specifically require health data to be protected on portable media. The government is pouring billions into build an electronic healthcare system but failing to require or enforce effective rules to protect our sensitive health information, from prescription records to DNA to diagnoses. Electronic health records are far easier to steal, sell, or lose than paper records because hundreds or thousands of people who work at hospitals and health plans can access our health data.

It’s crazy that health data is not protected by ironclad security protections at all times, no matter where its being used. You’d think even without government regulations for data protection that anyone handling our most sensitive personal information would protect it, but many don’t.

Hospitals enlist vendors for data analytics help

See full article in FierceHealthIT:  Hospitals enlist vendors for data analytics help

“Providers are increasingly turning to big tech companies to help their data mining efforts, according to an article at Bloomberg Businessweek.

Vendors such as Microsoft, SAS, IBM and Oracle are giving mounds of data the once-over in an analytics industry that generated more than $30 billion last year, according to research firm IDC. That figure is expected to grow to $33.6 billion in 2012–and healthcare is a leading customer.

The practice of data-mining, however, raises concerns. Hospitals have been criticized for mining patient data as a means to market to the most lucrative patients, for example. And data mining only exacerbates the concerns of patient advocates such as Deborah Peel, founder of Patient Privacy Rights, who recently told Forbes that people will avoid seeing doctors if they feel their information isn’t secure.”

The Web’s New Gold Mine: Your Secrets

A Journal investigation finds that one of the fastest-growing businesses on the Internet is the business of spying on consumers. First in a series.

Hidden inside Ashley Hayes-Beaty’s computer, a tiny file helps gather personal details about her, all to be put up for sale for a tenth of a penny… One of the fastest-growing businesses on the Internet, a Wall Street Journal investigation has found, is the business of spying on Internet users…

…The Journal conducted a comprehensive study that assesses and analyzes the broad array of cookies and other surveillance technology that companies are deploying on Internet users. It reveals that the tracking of consumers has grown both far more pervasive and far more intrusive than is realized by all but a handful of people in the vanguard of the industry…

…Healthline says it doesn’t let advertisers track users around the Internet who have viewed sensitive topics such as HIV/AIDS, sexually transmitted diseases, eating disorders and impotence. The company does let advertisers track people with bipolar disorder, overactive bladder and anxiety, according to its marketing materials.

Targeted ads can get personal. Last year, Julia Preston, a 32-year-old education-software designer in Austin, Texas, researched uterine disorders online. Soon after, she started noticing fertility ads on sites she visited. She now knows she doesn’t have a disorder, but still gets the ads.

The Machinery Behind Health-Care Reform

How an Industry Lobby Scored a Swift, Unexpected Victory by Channeling Billions to Electronic Records

When President Obama won approval for his $787 billion stimulus package in February, large sections of the 407-page bill focused on a push for new technology that would not stimulate the economy for years…

…A Washington Post review found that the trade group, the Healthcare Information and Management Systems Society, had worked closely with technology vendors, researchers and other allies in a sophisticated, decade-long campaign to shape public opinion and win over Washington’s political machinery.

The phone that feels the flu before you do (AP)

The “Zicam Cold & Flu Companion” warns Google phone users of the number of people who are sneezing and shaking in their zip code.

Matrixx Initiatives Inc., an Arizona company that makes of over-the-counter cold and flu remedies under the Zicam brand, released a program this week for the T-Mobile G1, also known as the “Google phone,” that warns the user how many people in an area are sneezing and shaking with winter viruses.

The “Companion” is available for free from the Android Marketplace, and will soon be available on the iPhone. Google Inc., which created the G1′s operating system, launched its own state-by-state Web-based flu tracker recently.