Stanching the hemorrhage of health-care data
If you're like most people, you're much more concerned about protecting your credit card number than your health-insurance number. But health-care information is increasingly being exploited by ill-intentioned individuals, says M. Eric Johnson, a professor at Dartmouth's Tuck School of Business who studies what is known as medical identify theft.
Motives: The motives behind medical identity theft vary. Uninsured individuals may try to receive free health services; illegal immigrants may want to avoid being deported; criminals on the run may be evading the law. Between 1998 and 2006, the Federal Trade Commission received 19,000 complaints of medical identity theft-a number that's "the tip of the iceberg," says Johnson.
In a recent paper on the problem, he wrote that "hospital employees historically comprise the largest known group of individuals involved in traditional medical fraud." Yet patients can unwittingly foster fraud by, for example, scanning health-care paperwork and storing it on an unsecured computer.
But Johnson, who directs the Center for Digital Strategies at Tuck, believes that digitizing medical records is part of the solution rather than part of the problem. In fact, he and several other Dartmouth faculty members-including Dr. Andrew Gettinger, head of informatics for DHMC-just received a $3-million grant from the National Science Foundation to develop secure computing systems for the health-care industry.
Peer: Johnson's research places the blame for medical data hemorrhages on antiquated information technology (IT) in doctors' offices and hospitals, as well as on peer-to-peer (P2P) file-sharing client software-programs used to share music.
Health-care workers often have easy access to confidential employee and patient information when such data is stored in insecure formats like Microsoft Word or Excel. These formats can easily be e-mailed, uploaded, or otherwise transported out of a health-care facility, usually with no way of identifying the culprit, let alone that data has been compromised.
Johnson also examined how P2P software facilitates medical identity theft. For example, a malicious P2P client may ask for access to a user's entire "My Documents" folder if just one music file is stored there. Or a client may just automatically access a user's entire hard drive, without even asking permission.
In his study, Johnson gained access to lots of compromising health data.
Footprint: In his study, which Johnson presented at the 2009 international Financial Cryptography and Data Security conference, he explained how easy it is to mine personal health information via P2P file-sharing software. First, he created an electronic "footprint," a set of search terms that lead back to an original query, for each of the top 10 publicly traded health-care firms. Pulling randomized samples over two weeks, he recovered 3,328 documents from P2P networks, 5% of which "could be used to commit medical or financial identity theft." These documents included health plan information, examination records, medical and psychiatric histories, and other sensitive data.
Then, by employing more specific searches, Johnson gained access to even more compromising data, including one file containing Social Security numbers, dates of birth, and insurer information for 9,000 patients. One hospital system inadvertently leaked a spreadsheet with 82 pieces of information on each of 20,000 patients.
While no secure system is perfect, many large hospitals-including DHMC-use an electronic medical record (EMR) system. DHMC developed its own EMR in 1985-one of the earlier institutions to do so; it restricts access to patient files based on an employee's role. Douglas Madory, manager of information systems security at DHMC, explains that the institution is currently in transition to a new system that will have even more sophisticated capabilities. DHMC takes patient privacy very seriously, says Madory. "There's not a lot of leeway" regarding breaches, he notes, even if their cause is not criminal-looking up a friend's birthday, for example. Disciplinary action can range from a formal warning to termination, depending on the severity of the case.
Data: Employees are also told that if they use a laptop for work, they must always ensure that sensitive material is encrypted so that, if the computer is lost or stolen, the data on it can't be accessed by anyone else.
But people shouldn't rely just on IT to protect their health information, Johnson points out. Patients can ask for an audit of their EMR if they ever suspect a privacy violation.
Finally, Johnson advises people never to put sensitive information on their home computer. "The greatest risk is home machines," he points out. With multiple users, there is a chance that a family member can unintentionally share a computer's whole hard drive with the click of a mouse over a P2P client.
"I have teenagers at home, so I worry," says Johnson. "You need to be careful."
If you'd like to offer feedback about this article, we'd welcome getting your comments at DartMed@Dartmouth.edu.
This article may not be reproduced or reposted without permission. To inquire about permission, contact DartMed@Dartmouth.edu.