How Do We Hack the Problem of Health Information Hacking?

— Going back to using paper and the U.S. mail seems impractical

MedicalToday
 A photo of hospital medical record archives.
  • author['full_name']

    Fred Pelzman is an associate professor of medicine at Weill Cornell, and has been a practicing internist for nearly 30 years. He is medical director of Weill Cornell Internal Medicine Associates.

"We remain committed to protecting the confidentiality and security of patient information, and apologize for the concern this may cause."

This was part of a letter I received the other day, dated about 3 weeks ago, from an imaging facility where apparently at some point I was a patient. They were writing to inform me that sometime around September of this year, their data systems were breached.

They had identified "suspicious activity" within their IT network, and discovered that someone had been mucking about in their systems at some point in the prior few weeks. Apparently, the hacked documents contained my name, contact information, insurance information, exam and/or procedure information, referring physician, and/or imaging results.

Well, at least they didn't get my Zodiac sign or favorite cereal!

Every day, it seems, there are massive data breaches happening all over the world, and we're likely only hearing about a tiny proportion of what is actually happening. It seems that it only rises to public attention when it involves a major hack, or a large institution.

For instance, it wasn't really reassuring when we learned a few years back that the credit reporting agencies had all been hacked, and all of the data of a large number of people were taken. Can anything be kept safe?

In this letter I received, they told me they were committed to protecting the confidentiality and security of patient information, but apparently the systems they had in place did nothing to stop the people who took the stuff, and there's not much they can do about it afterwards. "We promise we'll do better next time."

I think this is going to start happening more and more, and we will discover that almost no one is immune. Major hospital systems will be breached and information stolen, or ransomware inserted that either threatens to shut down their systems or destroy patient information unless payments are made.

It's not really reassuring to me when I find out weeks and months after an event that someone's got all of my information, and that somebody's really sorry this happened. Perhaps it's time that we as a society start to recognize that all of this information is out there, that the systems and the thieves that are trying to hack this information and steal it are undoubtedly going to be smarter, faster, and more ingenious than those trying to protect it.

I'm not sure if any IT system will ever develop a defense that is "hack-proof," or create a way to disconnect and de-identify all of the information that's necessary to run a healthcare system from the information that a thief would want to steal. I suspect that pretty soon the artificial intelligence (AI) tools that thieves will use will be smart enough to defeat those "I Am Not A Robot" tests where you have to click on the boxes that contain buses, stoplights, and bicycles.

So should the answer be that we go back to paper charts, paper billing, and mailing information back and forth through the U.S. Postal Service? The systems we use are so complex and need so much information that this seems eminently impractical, so we just have to hope that we can either make a system smart enough to protect this information, or we remove anything that anyone would want to steal in the healthcare world from being connected to the internet and other electronic systems.

There is certainly a lot of information contained within the electronic health record that patients probably don't want others to get access to. We have always held the patient's chart as a sacred thing, a safe space, and the trust we have with our patients depends on them being able to tell us stuff that they have confidence will not fall into the hands of others they might not want to see it. The HIPAA rules that we already have in place make a lot of sense, restricting access to healthcare information to those who have a need to know.

There are, of course, some exceptions. For instance, when it's time to get life insurance, whether you want them to know it or not, the insurance companies will learn whether you've ever smoked, what your last CBC was, your last hemoglobin A1c was, and what your last cholesterol profile was.

Maybe one answer would be to pull out clinical information from administrative information, to lock all this data away and only have them connected through some sort of bit chain system that's uncrackable, something designed by artificial intelligence that's changing at an infinite rate that would overpower anyone trying to get it to give up its secrets.

In the news just recently was the massive hack of patient information at 23andMe, which seemed pretty disturbing. Think of that -- suddenly all of your genetic information is out there, laid bare for everyone to see.

But does this have any value to anyone? What's the resale value of knowing that I'm a genetic mutt, a mashup of peoples from all over the world? Is someone going to threaten me or blackmail me over this?

I'm sure someone somehow is going to figure out how to monetize this stuff, that someone is willing to buy it and sell it and use it against someone, for something that we don't even know what it is yet. Our information systems have grown faster than our ability to protect them, and for now at least it seems that that's just the way things are. I fully support everyone working as hard as they can to try and keep this stuff safe.

FYI, my total cholesterol is 184, if you're interested.

Well, maybe we all just need to check our credit reports daily.