Thursday, May 7, 2009

Medical Cyber Piracy: Are National Electronic Health Records Plans Premature?

In 1961, President John F. Kennedy stood before a joint session of Congress and declared:

"It is time for a great new American enterprise -- time for this nation to take a clearly leading role in space achievement, which in many ways may hold the key to our future on earth ... First, I believe that this nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the earth. No single space project in this period will be more impressive to mankind, or more important for the long-range exploration of space; and none will be so difficult or expensive to accomplish."

In setting such an ambitious goal, the President was primarily putting at risk a handful of volunteer astronauts, several of whom actually did perish in the effort.

In 2009, President Obama committed the U.S. to full interconnected electronic health records (EHR's) by 2014.

In doing so, the President may be putting at risk millions of non-volunteer, ordinary people if the following is an example of what we can look forward to:

Authorities Hunt Hackers in Breach of Va. Health Data

By Brian Krebs and Anita Kumar
Washington Post Staff Writers
Thursday, May 7, 2009 2:06 PM

RICHMOND, May 7 -- The FBI and Virginia State Police are searching for hackers who have demanded the state pay them a $10 million ransom by Thursday for the return of millions of personal pharmaceutical records they stole from the state's prescription drug database.

The hackers claim to have accessed 8 million patient records and 35 million prescriptions collected by the Prescription Monitoring Program.

... State officials learned on April 30 that hackers had replaced the site's homepage with a ransom note demanding the $10 million payment [hence my title of medical cyber piracy - although perhaps I should call it cyber terrorism? -ed.] in order to receive a password needed to retrieve the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.

The program's computer system has been shut down since last week's breach, but all data were backed up and those files have been secured, Whitley Ryals said. Virginians are still able to get prescriptions filled.

"We do have some of systems restored, but we're being very careful in working with experts and authorities to take essential steps as we proceed forward," she said. "Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete."

State law requires the agency notify individuals whose personal information may have been accessed. Officials are working with state attorneys to figure out how and when they will do that.

The state-run database allows doctors and pharmacies to track powerful narcotics and painkillers to reduce the abuse, theft and illegal sale of the controlled substances sold under labels such as OxyContin and Vicodin. It was set up as a pilot program in southwestern Virginia in 2003 and expanded statewide in 2006.

Emily Wingfield, chief deputy director of the Department of Health Professions, said the database contained 31.3 million prescription records as of Jan. 1. About 1 million records are added every month, she said.

[And now the customary disclaimer - ed.] State officials say they have no evidence that any personal information is at risk, but they recommend that anyone concerned about possible identity theft keep track of personal financial statements and periodically review credit reports.


Only the world's dreamiest and most naive optimist could believe that these occurrences of medical cyber piracy - or worse - would not become commonplace, with rapid expansion of a diverse array of commercial electronic health records systems among our nation's thousands of hospitals and hundreds of thousands of practitioners.

This is especially true at our current levels of information technology, but also at "our" (meaning, the existing pool of IT professional's) current levels of competence and intellectual capability to manage this technology.

This story in today's Wall Street Journal is another case in point along those lines:

FAA's Air-Traffic Networks Breached by Hackers
By SIOBHAN GORMAN

WASHINGTON -- Civilian air-traffic computer networks have been penetrated multiple times in recent years, including an attack that partially shut down air-traffic data systems in Alaska, according to a government report.

The report, which was released by the Transportation Department's inspector general Wednesday, warned that the Federal Aviation Administration's modernization efforts are introducing new vulnerabilities that could increase the risk of cyberattacks on air-traffic control systems. The FAA is slated to spend approximately $20 billion to upgrade its air-traffic control system over the next 15 years.

The increasing reliance of modernized systems on the Internet "is especially worrisome at a time when the nation is facing increased threats from sophisticated nation-state sponsored cyber attacks," wrote Assistant Inspector General Rebecca Leng.

... Security tests identified 763 "high risk" vulnerabilities that could allow hackers access to administrative systems, which could then provide a path to more-sensitive operational systems, the report said.

... Last year, hackers of unspecified origin "took over FAA computers in Alaska" to effectively become agency insiders, and traveled the agency networks to Oklahoma, where they stole the network administrator's password and used it to install malicious codes, the report said. These hackers also gained the ability to obtain 40,000 FAA passwords and other information used to control the administrative network, it said.

In February, another cyber break-in yielded the personal information of 48,000 current and former agency employees.

"The threat of hackers interfering with our air-traffic control systems is not just theoretical; it has already happened," said Republican Rep. Tom Petri of Wisconsin, one of the lawmakers who requested the report. "We must regard the strengthening of our air-traffic control security as an urgent matter."


In Nov. 2008 I wrote in a post "Should The U.S. Call A Moratorium On Ambitious National Electronic Health Records Plans?" that 2009 might not be the optimal time for a major national health IT initiative, and that a moratorium on such efforts should be considered. I amplified the point in this followup post and at these posts as well.

The Virginia prescription records debacle adds to my concerns.

There are some national initiatives, such as a lunar landing, that are supported by a likely, relatively small extension of existing technologies, plus a low risk factor or risk factor to a small number of people. There are other national initiatives whose time may not yet have come due to technological limitations, but even more importantly, due to the advanced technology developed by the (brilliant) few outpacing the capabilities of the (average) many to manage it properly.

One needs to ask - without conflict of interest - if the risks of any mass social and technological engineering initiative such as national EHR's are truly outweighed by the benefits at this point in time. This is not an easy decision.

The common refrain that to not proceed with national EHR now would "hold back innovation", however, is one of objectification of the people. It is a "HIT live or let die" philosophy (let people die, or be injured physically or socially, so that IT may live) in my opinion.

I report, you decide.

-- SS

May 8, 2009 addendum:

The "live and let ... die" attitude can be seen in the concluding paragraph in a response by AMIA to Penn researcher Ross Koppel's JAMA article "Health Care Information Technology Vendors' "Hold Harmless" Clause - Implications for Patients and Clinicians."

The AMIA response here (PDF) concludes with this paragraph:

While we support increased transparency around error disclosure, the belief that the best approach to increase the safety and effectiveness of EHR systems is by legal regulation of system vendors is misplaced. Such an approach would stifle innovation and not achieve the desired goals.

I am sympathetic to these concerns, but only to the extent that I can tolerate the commentary's apparent irrationally exuberant and naive character.

I ask: how, exactly, are the beliefs "misplaced"? Who actually holds "misplaced" views? Those people who argue for patient and medical professional rights, a cautious approach to HIT, and regulation (as has occurred for decades in other biomedical industries such as pharma and medical devices), or those people who believe vendors can be counted on to disclose defects 100% by themselves on an "honor" system, without regulation?

Ironically, I believe their is much to be learned from another Penn researcher, in an article published in today's Philadelphia Inquirer:

Posted on Fri, May. 8, 2009
Looking back, years after Penn gene-therapy death
By Marie McCullough
Inquirer Staff Writer

This is one of the strongest cautionary tales regarding the unbridled drive for "innovation" that I've seen in some time.

-- SS