by Greg Freiherr

From Hillary to Ashley, black hats turn gray

Sep 08, 2015
CybercrimeData BreachGovernment IT

Will health IT be next?

It is not often that hacking appears in a positive light.  That an offshore hacker does something that benefits America. That hacking is done out of…wait for it….morality.  And yet…

Hillary Clinton continues to flail in the wake of the revelation by a Romanian hacker two years ago that, while serving as U.S. Secretary of State, she used her own server to handle state department emails.

In a cyber moment akin to Dirty Harry’s “Well do ya, punk?”, a hacker group calling itself The Impact Team last month issued a terse declaration “Time’s Up!”   And a site founded on human weakness of Biblical proportions fell.

Unless you see the world in black and white (and, if you do, you have my envy for the peace of mind it must bring), the actions of these hackers are either vilified or commended depending on which side of various fences you happen to be standing. 

But one thing is for sure.  Hacking reveals what is otherwise obscured. Sometimes it uncovers information that tells a story that could use telling.  More often, however, it wrenches information from where it should be and puts it where it shouldn’t.

An example of the latter is the cyber theft of patient data. Data gathered by healthcare providers are not only intensely personal, they can serve only the nefarious interests of third parties, causing extensive harm.

Yes, patient records typically contain financial data—bank accounts, checking accounts, credit card numbers. But they also contain personal and medical data – names, birth dates, policy numbers, diagnosis codes and billing information – that can be sold for 10 to 20 times what purely financial data, such as a credit card number, can bring.

Why? Because they can be used to make fake IDs. These can be used to buy prescription drugs, which can then be resold.  Patient data can also be used to make false medical claims to insurers, robbing the insurers and exposing patients to co-pay and deductible charges.

Data from millions of medical records have been stolen. Last year, Reuters reported that Chinese hackers broke into one of the biggest hospital groups in the U.S., Community Health Systems, and stole data from medical records belonging to 4.5 million patients. And this is just the most obvious.

According to a survey of healthcare organizations conducted earlier this year by the Ponemon Institute, 91% had one data breach during the past two years; 39% experienced two to five breaches; and 40% had more than five.

It has been suggested that the users of Ashley Madison got what they deserved.  A similar argument can be made that Clinton, for her decision to set up a private server, opened herself to discovery and, therefore, deserves the scrutiny she is under.

Clinton and the subscribers to Ashley Madison could have avoided their problems by making better decisions.  Patients do not have this choice.

They depend on security measures put in place by healthcare institutions, which for the most part have fallen short amid an increasing threat.  Criminal attacks on healthcare data rose 125% over the past five years ago, according to the Ponemon Institute.

Adding to this troubling picture is the possibility that telling the good guys from the bad might get more difficult in the future.  As America turns from volume medicine to value medicine, institutions are being held increasingly accountable for their actions.  As we have seen from individuals to politicians, accountability is not always welcome.

As part of its shift to value medicine, Medicare is encouraging hospitals to make patients healthier, as well as manage them more  efficiently and cost-effectively.  Failing to do so will put hospitals at risk of being penalized. Hospitals serving Medicare patients are already being asked to disclose hospital readmission rates as a metric indicating how well they take care of patients. Hospitals with high readmission rates risk losing a percentage of their Medicare reimbursement.

What happens if medical institutions try to cover up poor performance? Altering data about readmission rates? Infection? Mortality following surgery?

If some outliers tweak the numbers to make them look better than they should, and hackers uncover those activities by accessing patient data – what hats will the hackers be wearing?