How Safe Are Your Medical Records?
By Shana Dardan and Eric Smith
IT WAS A RESEARCH PROJECT with a dramatic conclusion. In the winter of 2007, assisted by two Susquehanna University students, we decided to test our theory that a determined individual could walk into a hospital and steal medical information by simply tapping into the institution’s wireless network. Within several hours of embarking on this adventure, we not only had achieved our objective with a hospital that had agreed to become our research guinea pig, but we also had taken control of its power grid.
The purpose of this experiment was not to cause anxiety or mischief. Rather, it was to underscore the vulnerabilities of our nation’s medical records system. In the process, we also created an experience for two students that far outstripped anything they could have learned in a classroom lecture.
ONLY A FEW SHORT DECADES the introduction of the personal computer, we are now fully engaged in the digital era. Digitized information is ubiquitous and necessary for global business. Integral to increasing health care standards and meeting the needs of an aging boomer generation, hospitals are using digital medical records. Many are actively joining the National Health Information Network, a federally funded project to support the creation of personal electronic health records that can follow consumers anywhere. Indeed, the use and availability of digital medical records are expected to vastly decrease the cost of preventable medical errors and the number of deaths due to those errors.
But the very nature of digital medical records and the use of networks make the theft of information much easier. How easy? Our experiment showed that a tech-savvy individual can steal patient medical records even from a hospital that has a highly reputable security staff and is HIPAA compliant. Hospitals and patients seem to use HIPAA—a federal law that among other things ensures the security and privacy of health data—as the bar, or standard, for whether their information is adequately protected. Yet the technical requirements for information security as outlined in HIPAA are less than a page long, outdated and ambiguous. Add to this the reality that the fundamental requirement of IT in a hospital setting is the availability of information—not the security of said information—and you have substantial room for possible network vulnerabilities.