Photograph by Gunter Ziesler

An Australian medical center is fighting hackers who have encrypted patient records and demanded ransom.

An Australian medical center is facing the possibility that its patients’ electronic medical records may be locked away forever after hackers broke into its computer system and encrypted the files.

The hackers who captured the Miami Family Medical Centre’s data demanded A$4,000 ($4,196) to decrypt the information, David Wood, co-owner of the facility, told Australia’s ABC News, according to this report. They got past what Wood considered good computer-security measures, he said.  The facility is now left with the “very, very, very difficult” task of operating without patient records until the hackers are paid or independent consultants can defeat the encryption on their own, he added.

“We’ve got all the antivirus stuff in place,” Wood told ABC News. “There’s no sign of a virus. They literally got in, hijacked the server and then ran their encryption software.”

The center did not immediately respond to an e-mail from Bloomberg News.

The information may be gone for good, as extortionists often follow one ransom demand with another and may never unlock the data, Nigel Phair, a former investigator with the Australian High-Tech Crime Centre, told ABC News.

The case shows how the digitization of medical records can be a danger to patients. I reported in August on a similar breach affecting a medical center in an affluent Illinois suburb whose records were also hacked and held for ransom. The facility, the Surgeons of Lake County, has declined to comment on the investigation or on whether the data were backed up.

Incidents like those are likely to become more common as medical providers make the shift to digital records, and as health care providers swap those files over “health information exchanges,” clearinghouses for medical data that are already the target of complaints.

The technologies promise to improve patient care, but they also introduce the risk of criminals stealing health data for profit. Health information can be sold on the black market and used for identity theft, a growing problem that some victims battle for decades.

Wood, of the Australian medical center, has learned a valuable lesson about data security: “Check your IT security and don’t leave backups connected to servers.”

Original post is Hackers Hold Australian Medical Center’s Records for Ransom by Tech Blog.

Photograph by Getty Images

Online advertising firm Epic Marketplace is accused by the FTC of spying on Internet users' browsing histories.

There are few things as creepy in online marketing as digging into someone’s health history, without their knowledge, to advertise to them. Yet that’s precisely what New York-based Epic Marketplace is accused of doing.

According to the online advertising company’s settlement with the U.S. Federal Trade Commission, Epic used a technique to snoop on people’s Internet browsing histories and sold that information to marketers, my colleague Sara Forden reported.

The company exploited a flaw that existed widely in Internet browsers until about two years ago to accomplish its surveillance, according to the FTC’s complaint against Epic. The flaw allowed websites to check whether visitors had also viewed other sites — a boon for underhanded marketers and site owners, as well as a gigantic privacy violation. Most modern browsers are protected.

Epic, whose tracking technologies existed on tens of thousands of partner sites, would ping visitors’ browsers for evidence that they visited any of more than 54,000 other domains, and record whether they saw pages related to fertility, impotence, menopause and incontinence, as well as non-health-related topics such as credit repair and personal bankruptcy. That information was then included in the profiles that Epic built and used to target people with advertisements, according to the FTC.

Stanford University graduate student Jonathan Mayer exposed Epic’s practices last year.

Epic could not be reached for comment. Three phone numbers listed for the company were disconnected. Key executives went on to found another firm, Kinetic Social, after some Epic partners said earlier this year that Epic had stopped paying its bills. Hank Kim, a spokesman for Kinetic, said the history-sniffing technology was used by a firm that Epic bought and was not disclosed to the marketing company at the time of the deal. Epic took steps to stop the practice once it was discovered, Kim said.

The flaw that Epic is accused of exploiting dealt with the way websites could query visitors’ browsers and get answers about which other sites they’d visited. Sites that had been visited would display a hyperlink in purple, and those Web pages that had not would display in blue.

To make matters worse: Even if someone cleared their tracking cookies and employed other privacy measures, their browsers would still silently betray them, offering up a record of other places they’d been on the Web.

The settlement bars Epic from using “history sniffing” technology in the future and mandates that it destroy all data collected using it, according to the FTC. Epic’s privacy policy had promised visitors that they would only be tracked on the more than 45,000 sites that Epic partners with, not sites outside of that network. The history sniffing code constituted a deceptive business practice, the FTC said.

“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” FTC Chairman Jon Leibowitz said in a statement. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”

The case is a vivid example of the lengths that some online marketers will go to fill their databases and carve out a niche in a highly competitive industry. As the social networks have illustrated, people are often the product online, and we’re the ones being shopped, not the other way around.

It’s an agreement we’re often OK with, a reasonable tradeoff for a valuable service like free e-mail. But the case against Epic shows in stark terms that there are corners of the consumer Internet where even services that do business with high-profile, legitimate sites may go over the boundary of acceptable behavior.

Epic was no fringe entity.

According to the FTC, the history-sniffing code was used on more than 24,000 sites that partnered with Epic to serve up targeted advertisements. Some of them are quite popular, including cnn.com, papajohns.com, redcross.com, and orbitz.com. The sites may have had no idea their visitors were being violated in this way.

Original post is How Online Marketer Peered Into People’s Health Histories by Tech Blog.

Photograph by Gary Gershoff/Getty Images

Medical devices such as mammography machines can be vulnerable to hacking attacks.

Your doctor’s office likely doesn’t have any digital security for its mammography machines, heart pumps and other devices that are vulnerable to hacking, according to a new study.

In a survey of 80 health care organizations in the U.S., the Ponemon Institute found that nearly three-quarters said they don’t secure their medical devices, even though they contain sensitive patient data. The organizations were not named.

“This finding may reflect the possibility that they believe it is the responsibility of the vendor — not the health care provider — to protect these devices,” said the report by Ponemon, an independent research organization.

The results point to a new danger to patients’ privacy at a time when medical providers are moving toward electronic records and the sharing of files on so-called health information exchanges.

The digital risks for health care firms are growing. Hacking attacks against medical providers are becoming more frequent and breaches are getting more expensive, Ponemon found. Ninety-four percent of respondents said they had at least one data breach in the past two years, up from 86 percent in 2010. Many breaches cost the organizations more than $1 million.

For the health care industry, these breaches may cost as much as $7 billion per year, according to Ponemon, which gets sponsorships for its studies from industry partners. ID Experts, a firm that sells identity-theft protection services, paid for the latest survey.

One particularly alarming incident emerged in July, when a surgical center in Illinois revealed that hackers had broken into its computer network, encrypted patients’ electronic medical records and demanded ransom.

Hackers historically haven’t had much interest in medical devices, which weren’t connected to the Internet. But the bull’s eye has grown as some of these devices have gained the ability to communicate patient data wirelessly and with personal computers that are online.

As Bloomberg.com’s Tech Blog has reported, researchers have demonstrated scary vulnerabilities affecting insulin pumps and pacemakers, prompting the U.S. Government Accountability Office to conclude that the Food and Drug Administration needs to exercise more scrutiny over medical devices’ security, not just their safety and reliability.

The vulnerabilities could enable a hacker to scan a crowd with a handheld antenna and force pumps to dispense lethal doses of insulin. To date, the attacks have only been demonstrated in research labs.

As unsettling as the lack of security for medical devices is, there’s another way to look at the issue.

According to Ponemon, 69 percent of respondents said their data-security  policies don’t cover medical devices. But that means 31 percent said their policies do cover the devices. The report doesn’t offer a year-over-year comparison, but the fact that nearly a third of organizations find the threats important enough to impose some safeguards is significant. Medical devices have not been a focus of the computer-security industry.

The statistic may still be of little comfort, but it does indicate that some health care organizations are waking up to this realization: Their medical devices are becoming just another set of computers, ready to be hacked.

Original post is Many Doctors Don’t Secure Medical Devices From Hackers, Study Finds by Tech Blog.

Photograph by Reza Estakhrian

Medical identity theft affected an estimated 1.5 million people in the U.S., according to the Ponemon Institute.

Arnold Salinas knows a lot about the person who stole his identity.

He’s 5-foot-9, 190 pounds. He pays for pizzas with forged checks, defaulted on a $17,000 car loan and has traveled the country, racking up speeding tickets and thousands of dollars in unpaid taxes, according to Salinas and a firm he’s hired to clean up the mess.

But the worst part is: The imposter is sick.

Salinas, a 53-year-old maintenance worker, is fighting the nastiest form of identity theft — someone has taken out medical care in his name. Among the strange bills that have arrived at his Fresno, California, home over the past decade are debt-collection notices for extensive radiology and other treatments at four hospitals in Kansas and Texas.

“I have to be super, super careful from now on,” Salinas said. “God forbid I go to the hospital and they get his records.”

Medical identity theft affected an estimated 1.5 million people in the U.S. at a cost of $41.3 billion last year, according to the Ponemon Institute, a research center focused on privacy and data security. The crime has grown as health care costs have swelled and job cuts have left people without employer-subsidized insurance. Making matters worse: The complexity of the medical system has made it difficult for victims to clear their name.

Salinas’s story illustrates how cases like these can take years to resolve, longer than other forms of identity theft. Salinas has been fighting his case since 2002.

Clean Up

“What makes it so difficult is you have to go provider by provider, hospital by hospital, office by office and correct each record,” said Sam Imandoust, a legal analyst with the Identity Theft Resource Center. “The frustrating part is while you’re going through and trying to clean up the records, the identity thief can continue to go around and get medical services in the victim’s name. Really there’s no way to effectively shut it down.”

The fractured nature of the health care system makes medical identity theft hard to detect. Victims often don’t find out until two years after the crime, and cases can commonly stretch out a decade or longer, said Pam Dixon, founder of World Privacy Forum and a leading expert on the issue.

Some forms of identity theft can take as little as a few days to resolve, since banks and other financial institutions are generally equipped to handle the complaints.  But medical identity thieves typically get treatment at five facilities or more, and the system isn’t set up to fix these kinds of errors, Dixon said.

Chronic Condition

“Most people never have a full cure — it’s very rare,” Dixon said. “It’s going to be a lifetime situation. It’s going to be like getting a scar on your leg. You heal your scar but you always have a little bit there.”

Complicating the process of fixing one’s medical records is that some victims face resistance in obtaining files from doctors. The physicians’ reason? The files contain sensitive health information about the imposter.

That’s what Vicki Lee Blair, a 63-year-old former computer analyst from Westminster, California, said happened to her.

During a period of unemployment, Blair went to a clinic run by the Orange County Health Care Agency in 1995 seeking antidepressant medication. She said she was shocked when clinicians peppered her with questions about a blood test in her file indicating thyroid problems and illegal drug use. A laboratory report reviewed by Bloomberg shows signs of two people’s records being mixed, such as an incorrect birthdate and different patient identification numbers.

Sorrow, Anger

She insisted the records were inaccurate, potentially the result of extensive identity theft that occurred a year earlier, possibly by a local woman with a similar name. Almost 20 years later, Blair is still fighting to clean up her record. The blood test has not been removed, she said.

Blair said she is broke and is convinced the record has hurt her ability to get affordable insurance, leaving her with constant anxiety.

“I have only two emotional responses left — sorrow, which produces nothing but tears, and anger,” she said in an interview. ”At this point I’m not a well-rounded person, I’ll admit that.”

James Harman, supervising deputy county counsel for Orange County, declined to comment, citing patient privacy concerns.

Electronic Records

The wider sharing of health data is fueling uncertainty about where bad records end up.

“Health information exchanges” are a cornerstone of the Obama administration’s health-care overhaul, allowing medical providers to swap patients’ digital medical records electronically. The exchanges can speed up and improve care, but they also raise the risk that an error in one place could wind up in another. Some exchanges have been found to share data without alerting patients, the subject of an earlier Bloomberg.com story.

For victims, there are few effective measures for prevention.

Setting fraud alerts with the credit-reporting agencies is one way to learn whether a perpetrator’s medical bills have gone into delinquency and were sent to debt collectors. By then, though, it’s too late.

Check the Teeth

The crime is “insidious,” said Deanna Jones, a fraud investigator who works with ID Experts, a firm that worked with Salinas on his case. Most medical facilities don’t have policies in place for responding to medical identity theft, especially for correcting records, she said.

As for the person who stole Salinas’s identity, he may never be caught, Jones said.

Salinas said he’s worried that as he gets older, at some point the records might get mixed. The thief also took out dental care in Salinas’s name, prompting him to issue his family an unusual warning.

“I told my son, if I ever die and there’s only dental records, make sure it’s me,” he said. “I might be on vacation somewhere.”

Original post is How Medical Identity Theft Can Give You a Decade of Headaches by Tech Blog.

Photograph by Steve Wisbauer

The incident showcases an unsettling new strain of opportunism that's emerging as criminals try to exploit digital records.

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.

The Surgeons of Lake County, located in the affluent northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored.

But unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.

The doctors turned the server off and notified the authorities, refusing to pay.

“This story is so ironic — most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors — in fact, nobody — can access these records.”

The Surgeons of Lake County isn’t the first health care provider to be targeted by extortionists. But the incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records.

The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.

Based on the number of practices moving to electronic health records, “many more” of these types of breaches should be expected, he wrote in an e-mail.

Medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money.

Earlier cases, though, underscore the value to a criminal of medical data.

One case involved Express Scripts, the large prescription-drug benefits manager that received a threat in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including Social Security numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually notified 700,000 customers that their information could have been exposed.

And in 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.

As I have reported earlier, the spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing problem. Security and privacy risks are also emerging with the creation of “health information exchanges,” which are vast databases that states are setting up to handle all the electronic medical records.

It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.

“Safeguarding every patient’s personal information is a top priority at The Surgeons of Lake County,” Dr. Scott Otto, the center’s president, said in a statement. “We are devoting significant people and technological resources to help protect patient confidentiality.”

For all of the benefits of making health records electronic, this incident highlights a downside, said Santa Clara University’s Glancy.

“This is a warning bell,” she said. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”

Original post is Hackers Steal, Encrypt Health Records and Hold Data for Ransom by Tech Blog.

Photograph by Isaac Brekken/AP Photo

Jay Radcliffe displays a radio device he uses to perform an attack on an insulin pump at the Black Hat conference last year.

When Jay Radcliffe went public last year with his discovery that some insulin pumps can be hacked, he didn’t expect it would take a year to get a meeting with the company that makes the vulnerable products.

Yet that’s about how long it’s taken to get Radcliffe and Medtronic, one of the world’s biggest medical device makers, together.

Radcliffe is set to appear on a panel today with Michael McNeil, Medtronic’s chief privacy and security officer, at the Amphion Forum in Washington, D.C., a computer-security conference. For Radcliffe, their appearance together is more than a validation of his research — it’s also a sign that the medical equipment industry may be embracing hackers.

“It’s a very big shift,” said Radcliffe, a diabetic and computer security professional from Idaho. “If you would have asked me ten months ago if I’d be on stage with them at a security conference, shaking hands and saying we’re working together to make medical devices safe, I would have laughed. I would have said that’s an impossible thing.”

The Minneapolis, Minnesota-based company had previously refused to look at details of Radcliffe’s findings, according to Radcliffe. Medtronic hired security consultants to examine its products after Radcliffe raised the issue at a security conference, but has said little else about the issue.

“Medtronic has and will continue to engage a variety of researchers and experts on issues related to device security at conferences and other venues,” the company said in a statement. “We appreciate the technical expertise and insight that comes from the security community and recognize that patients will benefit from our collaboration on this industry-wide issue.”

Radcliffe’s experience until now underscores a familiar hackers’ dilemma. Tell a technology company that you’ve found security holes in its products, you may get nothing but radio silence, amid fears of liability or sheer inexperience in dealing with security researchers.

To be the target of attacks — albeit by researchers — is an unfamiliar position for medical device makers. But now that more of these devices have wireless connections to help with things like diagnostics, the attention on them is increasing.

Another hacker, Barnaby Jack, who works for antivirus vendor McAfee, has also demonstrated problems with Medtronic products, taking Radcliffe’s findings a step further by showing how to use an antenna to scan public places and attack pumps from up to 300 feet away.

“I have to give Medtronic a lot of credit,” Radcliffe said. “It takes a lot for a corporate structure to say, maybe we didn’t do it right.”

Original post is Insulin Pump Hacker, Medical Device Maker Come to the Table by Tech Blog.

Photograph by Betsie Van der Meer

The average cost per victim of medical ID theft was $22,346 this year, up from $20,663 last year, the survey found.

If your credit card is stolen, it may take a few minutes on the phone with the bank to reverse the fraudulent charges.

But if your identity is stolen and used for medical treatment, it could take a year or longer to undo the damage, a new study released today found. Victims may also get dropped by their insurance provider and end up paying the imposter’s bills just to make the problem go away, potentially to the tune of $100,000 or more.

Medical identity theft is an especially harmful scam that is time-consuming and getting more expensive for victims, a trend that shows the health care industry’s difficulty in fighting a problem that may affect as many as 1.85 million people in the U.S. this year, up from 1.49 million a year ago, according to the Ponemon Institute’s third annual survey on the topic.

This type of theft is estimated to have a $41.3 billion impact on the U.S. economy, up from $30.9 billion last year, the report said.

Health care providers and insurance companies are grappling with an influx of identity thieves, a problem that’s becoming more acute as prolonged unemployment and rising medical costs have added to the ranks of the uninsured. About 50 million people in the U.S. don’t have health insurance, according to the Department of Health and Human Services, and the question of the government’s role in how to insure them is now before the U.S. Supreme Court, which is set to rule this week on the legality of President Obama’s health care overhaul.

The lack of coverage has driven some people to resort to criminality to obtain medical care. Prescription drug addictions also play a big role. Either way, the toll on victims is rising.

Ponemon produces a study each year on the cost of medical identity theft, and for this year’s report, the Traverse City, Michigan-based organization interviewed 757 people who said they or their family members were victims of medical identity theft.

The average cost per victim was $22,346 this year, up from $20,663 last year, the survey found. Some people paid much more: 6 percent of respondents reported paying $100,000 or more to resolve their cases.

Those costs include lawyers and credit-monitoring services, which are standard for nasty cases of identity theft. But there are other expenses that are unique to this type of fraud and underscore the complicated nature of the crime.

Victims are sometimes dropped by their insurance companies, forced to pay the full cost of their medical expenses while they’re working to resolve their cases and find new coverage. Forty-one percent of respondents said their coverage was terminated as a result of the identity theft, down from 49 percent last year, the survey found.

Forty-five percent of the victims also reported simply paying for medical services or pharmaceuticals provided to the imposters to make the problem go away, up from 44 percent last year, the report said.

If that seems surprising, consider this: The process of resolving a medical identity theft case is so long — on average, it takes 12.1 months, essentially the same as last year, according to Ponemon — that paying the bill can make more financial sense than dragging out the fight.

Not all victims are completely innocent.

Victims often don’t report the crime because they know the perpetrators, according to the survey. Family members are often the culprits in medical identity theft cases. Many victims find out after the fact, while some even grant their permission for the crime to be committed in their name.

Thirty-one percent of the survey respondents said they let family members use their information to obtain medical care, up from 26 percent last year. Most said it was because their family members were uninsured, couldn’t afford care or were experiencing a medical emergency.

Larry Ponemon, the institute’s founder, said his organization interviewed about 40 survey respondents more in-depth on this issue. Most people who fell into this category were “simply careless” and didn’t understand the consequences of their actions, he wrote in an e-mail. Some may have been trying to cheat the system even more by claiming they were identity-theft victims to avoid paying any costs, but it was hard to determine people’s true motivation, Ponemon said.

For legitimate victims, there are few good ways to prevent medical identity theft, which can begin with hacking attacks or the loss or theft of medical-office computers.

The health care industry lags its peers in key ways to fight this kind of fraud.

Financial services firms have found a speedy way to deal with bogus charges, driven by the need to keep credit card transactions humming and fraud rates low. When people’s credit cards are ripped off, banks and retailers eat the costs. Under federal law, consumers’ liability is capped at $50 for each lost or stolen card, which hardly anybody has to pay. The industry has a clear motivation to clear fraud victims’ cases quickly so they can start spending again.

Health care providers have less experience in this area.

Clare Krusing, spokeswoman for America’s Health Insurance Plans, a lobbying group for the U.S. health insurance industry, said the organization doesn’t have enough data on the issue to comment. Representatives for the American Hospital Association and the National Health Care Anti-Fraud Association did not immediately respond to requests for comment.

Many people find out they are victims of medical identity theft when they are contacted by debt collectors, looking to recoup a hospital’s or insurance company’s unpaid expenses.

It’s hard to stop the crime before it’s happened, unlike many purely financial schemes that can be stopped with free fraud alerts that trigger phone calls to potential victims when new lines of credit are opened in their names.

To protect against medical schemes, however, there is one fairly effective method: you can monitor your credit report for signs of any unpaid medical expenses going in to collections. All of the major credit-reporting agencies — Equifax, Experian (which sponsored the Ponemon study) and TransUnion — must provide a free credit report once a year for people who ask.

Original post is One Year of Your Life and $100,000: Growing Cost of Medical ID Theft by Tech Blog.

From Latanya Sweeney, Data Privacy Lab, Harvard University, 2010

A graphic depicting the sharing of a person's health data.

Two years ago, Latanya Sweeney created a graphic on the widespread sharing of medical files that shocked lawmakers, technologists and doctors.

Sweeney, who founded the Data Privacy Lab at Harvard University, produced a “health data map” that looks like a windshield cracked by a few big rocks. At the center is someone’s health record, medical provider and insurance company. Emanating from them are webs of more than two dozen organizations that could have legitimate access to the file, including transcription services, medical researchers, and even data-mining firms and pharmaceutical companies.

“Collectively, you’d hear a gasp and then a moment of silence — that was pretty universal,” she said, describing the reaction during her congressional testimony and presentations to privacy summits, academic conferences and medical schools.

However, Sweeney said there are limitations in tracking the movement of medical data, and many doctors are in the dark about where their patients’ data go. So at the Health Privacy Summit in Washington, D.C., which starts Wednesday, she plans to unveil a new project to harness the collective knowledge of doctors, data-breach victims, whistle-blowers, technology specialists and others to build a new, more comprehensive health data map.

“If we can get a lot of people to march in this direction and keep them there and entertained and incentivized, I think what we’ll uncover will be mind-blowing,” said Sweeney, who is a computer scientist.

Her project comes amid a U.S. push to digitize patient records, which has created lifesaving benefits but has also made it easier for medical files to end up in unexpected places. As I reported last month in a special report for Bloomberg.com, loopholes in the federal law have allowed the collection and sharing of private medical information without patients’ consent.

Sweeney’s work has focused on identifying those unexpected places and on showing that it’s possible to determine some people’s identities from medical data, even after the records have been stripped of personal information. Adding to the alarm, she said the number of third-party entities receiving medical data has more than doubled in the past decade, and some firms that once received only “anonymized” data now get records that identify people.

While Sweeney’s earlier mapping effort drew on her experience as a legal expert and her work with the privacy center, her new project, thedatamap.org, needs submissions from others to help sketch a more complete picture of how medical data are shared.

At first, she’s seeking submissions of Internet links that show data-sharing relationships between medical providers and others. People will sign up with an e-mail address to be “data detectives,” and the accuracy of their submissions will be checked by other people who have signed up to submit links. Eventually, the map could include information from other sources.

Deborah Peel, a physician and founder of Patient Privacy Rights, the Austin, Texas-based group putting on the conference, said a promising aspect of Sweeney’s project is its open nature, which will help ensure accuracy by allowing organizations that are mentioned on the map to respond.

“There’s some self-regulation there — we’re pretty hopeful that if somebody says something wrong about a hospital or a corporation, that they’d respond and provide the right information,” Peel said.  “It’s kind of ridiculous we’re forced to resort to this because there’s no chain of custody for our data.”

Even if the project gets little public input, the research can still be used to pressure lawmakers into mandating that data-sharing arrangements become more transparent, Peel said.

Sweeney said a goal of the research is to identify areas where patient data might be vulnerable to theft or abuse. It’s not to prevent the sharing of medical data entirely, she said.

“Because you don’t know where your data is going, harms are almost impossible to report and detect,” she said. “We don’t want to stop data sharing. There are a lot of uses and benefits that come from it. But how do we do it in a responsible way? As long as the data sharing is invisible, you can’t possibly do that.”

Original post is As Health Records Go Digital, Where They End Up Might Surprise You by Tech Blog.

Photograph by Joey Foley/Getty Images

The Methodist Hospital in 2010 in Indianapolis, Indiana. The state has one of the most advanced exchanges in the country.

Indiana isn’t usually considered a hub of technological innovation. However, about 2,000 miles from Silicon Valley, it has solved a problem that has flummoxed even high-tech states like California.

Indiana has built one of the most advanced “health information exchanges,” a computer network that lets doctors from different practices swap patients’ electronic medical records with the ease of a mouse click.

As I reported on Bloomberg.com, hundreds of such exchanges have popped up around the country, most in the last two years and fueled by $548 million in grants from the Obama administration as part of its health care overhaul. There have been problems: In Maine, patients discovered their medical files were being poured into a statewide database without their knowledge. California has struggled to recruit enough doctors to share their records. Some exchanges have even gone belly-up.

The Indiana Health Information Exchange, meanwhile, is a nonprofit that was launched in 2004 and now has 5 billion pieces of health data up to 40 years old. It is one of the oldest and most technologically sophisticated exchanges in the country, owing to a partnership with the Regenstrief Institute, an Indianapolis research organization that developed one of the nation’s first electronic medical records systems more than 30 years ago.

Indiana has four other, smaller exchanges. Together, they cover more than 4.5 million of Indiana’s 6.5 million residents — a level of coverage that will take many other states years to achieve.

The amount of medical data sloshing around Indiana makes it a national model. The lifesaving benefits of doctors being able to instantly pull up patients’ medical histories, such as medications and lab results, is unquestioned. But Indiana’s success comes with a caveat: The state has no law mandating patient consent before doctors share patient data with exchanges. That has been crucial in allowing the system to flourish, said Andrew VanZee, Indiana’s director of health information technology.

“One of the reasons Indiana has been successful is we haven’t over-regulated the private sector,” VanZee said. “It’s allowed the market to blossom. We were able to do a lot of that work when there was less scrutiny.”

The result is many patients may not know they’ve been included. And if they are aware, opting out is hard: Patients must be granted permission by their health care providers to opt out of the exchange, said Molly Butters, spokeswoman for the Indiana Health Information Exchange. The number of people who opt out is “very low,” she said.

Those two factors have rankled some consumer watchdogs and raised a sensitive idea: that stricter privacy controls, when it comes to health information exchanges, can both help and hurt consumers at the same time by restricting the flow of some of the most sensitive data on earth.

Maine also didn’t have a state law mandating patient notification before their data were shared with an exchange. That is, until patients found out their records were being shared without their permission and cried foul. They pushed through new legislation last year mandating that patients get an opt-out form at the time of treatment.

Eric Thieme, general counsel for the Indiana Health Information Exchange, said all health care providers that are part of the exchange are contractually obligated to notify patients how their data will be used.

But Deven McGraw, director of the Center for Democracy and Technology’s health privacy project in Washington, said policies like Indiana’s give patients little real choice and can serve the needs of health care providers more than patients. In the U.S., 48 exchanges give patients no choice at all about such matters, according to eHealth Initiative, a nonprofit organization that researches health-care technology.

“Some of these health information exchange efforts don’t pay enough attention to the importance of building public trust in what they’re doing,” she said. “The public trust issue is really, really critical. Just getting the providers on board and constructing a system that works for them is not enough.”

Indiana is closing in on a milestone: VanZee said that Indiana should have its five exchanges fully connected to each other by this summer. That could pave the way for other states to link their exchanges to Indiana’s, allowing residents’ electronic medical files to follow them across state lines.

Original post is How to Build a Mountain of Patient Data: Don’t Ask for Permission by Tech Blog.

Photographer: David Paul Morris/Bloomberg

Barnaby Jack uses a mannequin equipped with an insulin pump to show the vulnerabilities of wireless medical devices.

In his San Francisco apartment, Barnaby Jack waves a small antenna to demonstrate how a deadly hacker attack against a diabetic would begin.

The 34-year-old is best known for hacking into cash machines and making them spit out money on stage at a Black Hat computer security conference in 2010. Today, he is hunting security holes in wireless medical devices, and his latest stunt involves insulin pumps, the pager-sized devices that diabetics wear to dispense the lifesaving hormone into the body.

Jack aims the antenna at a see-through mannequin he has outfitted with a plastic baggie of clear liquid taped to its insides — that’s the pancreas. After a push of a button on his laptop, the antenna locates the insulin pump holstered to the mannequin’s hip, and a program Jack has written steals the pump’s security credentials. His software then instructs the pump to dump its contents, slowly injecting insulin into the fake pancreas through a small tube, filling the baggie with blood-colored liquid he’s concocted.

Insulin pumps, pacemakers and other medical devices can now communicate wirelessly, which makes them vulnerable to hacking. No known attacks have occurred in the real world, but several researchers have explored the possibilities. A key problem is the devices can’t currently be updated without being recalled, unlike PCs or mobile phones that are constantly getting security fixes.

Jack’s findings, slated to be presented today at the RSA security conference in San Francisco, represent a dangerous type of computer attacks that can inflict real-world pain.

“These are computers that are just as exploitable as your PC or Mac, but they’re not looked at as often,” Jack said. “When you actually look at these devices, the security vulnerabilities are quite shocking.”

This isn’t the first time the issue has come up. A study in 2008 from a consortium of academics found that a popular pacemaker-defibrillator could be remotely reprogrammed to deliver deadly shocks.

Medical-device security became a flash point last summer when Jay Radcliffe, an Idaho-based hacker and Type 1 diabetic, showed how hackers could manipulate the bestselling pump he used.

Radcliffe got hate mail by the hundreds, but he also got the attention of lawmakers, who successfully pressured the Government Accountability Office to investigate whether the medical device industry’s cyber security rules are tough enough. The GAO report is due in July.

Jack’s attack takes what Radcliffe did a step further.

He has discovered a way to scan a public space from up to 300 feet away, find vulnerable pumps made by Minneapolis-based Medtronic Inc., and force them to dispense fatal insulin doses. Jack doesn’t need to be close to the victim or do any kind of extra surveillance to acquire the serial number, as Radcliffe did.

The program Jack has written is something that bad guys with enough skill could replicate and sell online, a common practice in cyber crime. The antenna and other gear is easy to acquire online, he said.

Jack, a researcher with McAfee Inc., has never actually done the attack against anyone. All the work has been tested in his home lab, with the intent of pressuring device makers to improve the security of their products.

Medtronic, one of the world’s biggest medical device makers, said in light of the research it has hired security teams from Argonne National Laboratory, Symantec Corp. and Wurldtech Security Technologies Inc.  to inspect its products and is coordinating with the Department of Homeland Security to implement changes, which may take years.

“Medtronic takes patient safety and device security very seriously,” the company said in a statement.

The U.S. Food and Drug Administration said that electronic eavesdropping is a concern for any medical device with wireless communication components, and that device makers are responsible for making sure their equipment can be updated after it’s sold. For many devices, that’s not possible without a recall.

Nathanael Paul, a computer security researcher specializing in medical devices and Type 1 diabetic, says that Radcliffe and Jack’s work brings important public attention to issues that have been known privately for several years.

Paul, a research scientist with Oak Ridge National Laboratory, said he discovered many of the same things that Jack and Radcliffe did but pursued a different path. His group made its discoveries in 2010 and presented them quietly to the FDA and industry officials.

“I wanted to effect change and I wasn’t exactly sure the best way to go about it,” he said. Paul added that while many interactions with government and industry insiders were positive, it can take years for changes in medical devices to hit the market because of long product cycles and regulatory roadblocks. He said there are other weak spots in the devices beyond the wireless components that could emerge in future research.

Jack revealed some details of his attack at a small hacker conference in Florida last year and says he has considerably strengthened the attack since then. For instance, his program can now disable security alerts on the pumps. He isn’t releasing details of the vulnerabilities, he’s just showing what’s possible.

A troubling element of such research is that it could inspire others to pursue these real-world attacks. Jack and Radcliffe both acknowledge the possibility, but say the technical skill required means that mass attacks are unlikely.

Still, each vulnerability that’s discovered raises the possibility that someone bent on destruction will attempt to exploit it in the real world. Jack says he is working now to see if there’s a way to forcibly update the devices, which is a double-edged proposition, since even that capability could be hijacked by criminals. He says the problems stem from a lack of foresight by device makers.  Security, he says, wasn’t a priority when the devices were designed.

“It wasn’t even an afterthought,” he said. “It wasn’t even a thought at the time.”

Original post is Hacker Shows Off Lethal Attack By Controlling Wireless Medical Device by Tech Blog.