Medical Records: Stored in the Cloud, Sold on the Open Market
Eugen Leitl
Medical Records: Stored in the Cloud, Sold on the Open Market
* By Kim Zetter Email Author
* October 19, 2009 |
* 4:30 pm |
* Categories: Cybersecurity, privacy
*
electronic-health-records
When patients visit a physician or hospital, they know that anyone
involved in providing their health care can lawfully see their medical
records.
But unknown to patients, an increasing number of outside vendors that
manage electronic health records also have access to that data, and
are reselling the information as a commodity.
The revelation comes in a recent New York Times article about how so-
called “scrubbed” patient data isn’t as anonymous as people think. The
piece focuses primarily on how anonymized data can be cross-bred with
other publicly available databases, such as voting records, which
subverts the anonymity. Buried near the end of the article is the news
that medical data is collected, anonymized and sold, not by insurance
agencies and health care providers, but by third-party vendors who
provide medical-record storage in the cloud.
Electronic health record (EHR) services have been a growing industry
in the last few years, according to Sue Reber, marketing director of
the Certification Commission for Health Information Technology. Reber
says most vendors used to simply sell software packages; once the
product was sold, the vendor had no connection to the data stored in
it. But an increasing number of companies have begun to offer web-
based software-management applications that include database storage
controlled and managed by the vendor.
Reber told Threat Level that such products generally come with
security and privacy provisions that prevent the software provider
from having access to the data, even though they’re managing it. But
others say this isn’t always the case.
As part of their contracts with the vendors, doctors are agreeing to
let some vendors access and collect the patient data, scrub it of
personally identifying information, and sell it in bulk to
pharmaceutical companies and other buyers, the Times reports.
George Hill, an analyst at Leerink Swann, a health care investment
bank, told the Times that the market for health record systems is $8
billion to $10 billion annually. About 5 percent of this income comes
not from the sale of information systems but from the sale of data and
analysis. As more physicians and hospitals — spurred by federal
incentives — switch to electronic recordkeeping, revenue from the sale
of health data could grow to $5 billion, Hill said.
In some case, the vendor contract specifies that the vendor has
exclusive access to the health records in its database, according to
Dr. Paul Tang, vice president and chief medical information officer of
the Palo Alto Medical Foundation, and member of a federal privacy
advisory panel.
Tang told ModernHealthCare in 2007 that he’d seen such contracts from
large and small vendors. “Some [vendors] say they have ownership to
data. There are contracts that say they will have real-time access to
the database, that they will have exclusive access to the data, that
they can resell the data. I think it would be unlawful that covered
entities abide by that.”
Giving vendors access to such data would apparently violate the Health
Insurance Portability and Accountability Act (HIPAA), which prohibits
doctors from providing medical records to anyone not involved in
providing health care or payment for health care or involved in health
care research. Although the law does provide a loophole for “business
associates” hired by health care providers, privacy rights lawyer
Robert Gellman told ModernHealthCare that this likely wouldn’t protect
health care providers in these cases.
“Any contract that deals with ownership of medical data is pretty
meaningless, because laws and medical ethics control the rights and
responsibilities of medical records,” Gellman said. “Whoever holds the
records as a covered entity has certain obligations and limits under
law, regardless of how the contracts are written. As long as a doctor
is covered by HIPAA, those rules for disclosure hold. If a doctor
signs an agreement like that, the doctor has certainly violated HIPAA,
and may be pursued by OCR and may be sued by the patient for all kinds
of things.”
Vendors say they re-sell the data for research purposes and scrub it
of identifying information first to protect patient privacy. But in
1997, Latanya Sweeney, director of the Data Privacy Lab at Carnegie
Mellon University, showed how she was able to pick out the medical
records of William Weld (then the governor of Massachusetts) from
scrubbed medical information published by the state’s insurance
commission by simply correlating the anonymized data with birthdays,
ZIP codes and gender information published in the state’s voter-
registration rolls.
According to Sweeney, 87 percent of the U.S. population can be
uniquely identified simply from their birthdate, gender and zip code.
Patient advocate groups have called for greater oversight and
regulation of the electronic health-record industry to control what
software vendors can access and what they can do with the data.
Image showing who has legal access to medical records courtesy of
PatientPrivacyRights.org.
Samantha Atkins
should solve this problem. There is nothing about storage in a cloud
that says the data needs to be readable by unauthorized parties.
- samantha
Eugen Leitl
>
> Sorry to top post but reasonably good encryption of said records
The problem is restricting access. You need to keep the key in
the person's possession (smartcard + PIN), requiring personal
approval to give access (of course, you have to back up the
key, and escrow it), log access, provide patient with ways to
inspect the log, ways to track leaked records (M.D. XYZ
made unauthorized copies, pooled the records and sold them
on the black market), draconian legislation making trade
in medical records a risky proposition, and the like.
So encryption is only a tiny part of it. Without infrastructure,
and legal backing of it all there's not going to be anything
useful.
> should solve this problem. There is nothing about storage in a cloud
> that says the data needs to be readable by unauthorized parties.
Right, but even authorized parties can do mean things with your
records when you turn your back. So you don't need just cryptographic
authentication, but watermarks, too.
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Samantha Atkins
On Nov 6, 2009, at 1:55 AM, Eugen Leitl wrote:
>
> On Thu, Nov 05, 2009 at 10:00:02AM -0800, Samantha Atkins wrote:
>>
>> Sorry to top post but reasonably good encryption of said records
>
> The problem is restricting access. You need to keep the key in
> the person's possession (smartcard + PIN), requiring personal
> approval to give access (of course, you have to back up the
> key, and escrow it), log access, provide patient with ways to
Doing (1), the encryption and keys, is a good start. Other services
can be added later.
> inspect the log, ways to track leaked records (M.D. XYZ
> made unauthorized copies, pooled the records and sold them
> on the black market), draconian legislation making trade
> in medical records a risky proposition, and the like.
There is no way to stop someone that can decrypt the information from
sharing clear text copies. However, that is not part of the problem
of making the information secure in the cloud.
>
> So encryption is only a tiny part of it. Without infrastructure,
> and legal backing of it all there's not going to be anything
> useful.
>
I disagree. Having (1) has many benefits to patients. Simply having
the records online saves lives. You don't have to have everything
100% perfect for a system to be worth deploying. The perfect often
is the enemy of the good.
>> should solve this problem. There is nothing about storage in a
>> cloud
>> that says the data needs to be readable by unauthorized parties.
>
> Right, but even authorized parties can do mean things with your
> records when you turn your back. So you don't need just cryptographic
> authentication, but watermarks, too.
Nice to have but not immediately essential. Nor will watermarks stop
bad things from being done. But bad things are already done with
confidential information in its current form. So?
How about very very strong penalties for misuse of such information?
- samantha