July 9, 2013
They Can Kill You With the Push Of a Button: Gaping Security Holes In Your Electronic Health Records
It should be obvious by now that modern technology comes with widespread security issues. Some are intentional, such as the NSA spying scandal which has proven that every digital interaction in the United States can be accessed in one way or another. Others are unintentional, where computer device and software operators simply make mistakes, as in the example of the latest revelation that every version of Google’s Android operating system has been exposed to cyber thieves since 2009 (a vulnerability that has yet to be plugged).
While computer and network security issues are rampant across every manner of digital device, a breach on your android phone or the government monitoring your real-time Internet chats through backdoors doesn’t pose an immediate threat to your health and safety.
But with the continued centralization of our personal records, especially our electronic health records (EHR) under new universal health care mandates, there’s a new risk to every single American, and one that leaves us physically exposed to the real threat of being killed with the push of a button.
After she was admitted, Silverstein, who is a doctor, looked at his mother’s electronic health records, which are designed to make medical care safer by providing more information on patients than paper files do.He saw that Sotalol, which controls rapid heartbeats, was correctly listed as one of her medications.
Days later, when her heart condition flared up, he re-examined her records and was stunned to see that the drug was no longer listed, he said.
His mom later suffered clotting, hemorrhaged and required emergency brain surgery. She died in 2011. Silverstein blames her death on problems with the hospital’s electronic medical records.
“I had the indignity of watching them put her in a body bag and put her in a hearse in my driveway,” said Silverstein, who has filed a wrongful-death lawsuit. “If paper records had been in place, unless someone had been using disappearing ink, this would not have happened.”
Some might assume the medical records systems being used by physicians and hospitals all over the country are secure. Why wouldn’t they be, as they literally hold life saving (or life killing) information?
But according to an assessment from the U.S. Department of Health and Human Services this essential medical information is far from invulnerable, which means that a simple mistake by a medical clerk or a premeditated cyber hack could leave you or your loved ones at the mercy of a faceless computer, and a medical staff that assumes it is 100% accurate:
Three risks common to both paper and electronic records include include: 1) the risk of inappropriate access, 2) the risk of record tempering, and 3) the risk of record loss due to natural catastrophes.
With electronic records, inappropriate access manifests itself in one of two ways: 1) an unauthorized user gains access to the EHR data; or 2) an authorized user violates the appropriate use conditions. For example, if office staff access the records of a friend or colleague that visited the practice. Electronic records can be subject to ‘serendipitous’ access in situations such as when a user account is left open or a passerby is able to view data on the screen or manipulate the EHR features. Electronic records can also be subject to breaches of network security that may allow a hacker to gain access to user credentials and thereby to bypass the access control protections.
The ability to make changes to an electronic record depends upon the rights assigned to a user. Users with data modification privileges can generally add, delete, or modify data or entire records. Data can also be tampered with by directly accessing the files stored on the EHR servers using a server account rather than an EHR user account.
Fires, floods or other environmental disasters attack physical locations and can result in the complete loss of both paper and electronic medical records.
Accidents like natural disasters are going to happen, and a complete loss of medical record information is something that can be mitigated through off-site back-up systems.
The real problem lies in the security vulnerabilities outlined by the HHS.
Our medical records are being centralized into one massive database, and by putting all the data in one place we are creating an easy mark for hackers.
We know how simple it is to hack a social network account, or email, or even a web site. Millions of credit card numbers are stolen through online hacking on a daily basis across the world. We’ve had hackers gain access to essential grid utilities like an Illinois water utility plant and take control of its treatment facilities. We’re also well aware of the fact that our major oil refineries and power grid have staggering security holes.
The threat of malicious attacks is more real now than ever before as more systems come online and connect directly to the Internet.
Our medical records are no different. In fact, with so many people across the country having user accounts to the front- and back-end systems, these system may be more vulnerable than even our personal email accounts.
The critical difference here is that access to your medical records poses an immediate and catastrophic threat to your health and well being.
Whether by accident or on purpose, your personal files can be easily accessed and modified. According to Karl Denninger, the scary thing is that it can be done with “no notification of the change in the system, no audit trail that was immediately visible on the change and no means for the attending physician to immediately, at a glance, know that the record had been changed.”
What’s worse is that the medical establishment believes that it actually owns your medical records. Heck, we don’t even own our DNA any more according to the Supreme Court, so it would only make sense that your medical history, diagnoses over the years, treatments and assessments belong not to you, but to the government and medical industry. This, of course, further complicates the issue, as you have no idea what may have been modified because gaining access to your records may require you to jump through hoops for weeks or months to obtain a copy of your personal medical history.
Thousands of Americans are killed every year because of medical malpractice. And in coming years, as we become more dependent on Electronic Health Records, there is a real possibility that nefarious individuals with the intent to harm you directly, or even engage in a mass attack on our health care system, will modify medical records with the intention of killing people remotely.
It sure seems like a convenient mechanism for engaging in stealth assassinations should someone choose to do so.
When a mass-shooter kills scores of people with a gun in a movie theater or school there is an outcry to disarm the American people.
What about the threat of mass-killings by way of hacking the medical records of millions of Americans? Will the government move to ban all electronic medical records as well?
Doubtful … there’s just way to much money and control at stake.