Imagine walking into your practice offices one sunny Monday morning in June, carrying a cup of coffee, the morning newspaper queued up on your iPad. You greet your co-workers, grab a bagel from the bag someone left in the break room, settle into your office and turn on the computer.
That's when you find the electronic note posted to your server from hackers who are holding your electronic health record data for ransom. You can't log into the system, you can't access email and you have no idea whether or how much patient data was compromised.
If we were handing out awards for the strangest data security breach of 2012--and worst Monday morning moment of 2012--the Surgeons of Lake County in Libertyville, Ill., would surely take the dubious prize.
The U.S. Department of Health & Human Services keeps an online list of all data breaches affecting more than 500 patients on its site--and you can crunch those numbers until the cows come home. But it's not the numbers that interest me most. It's the stories behind them.
And there are so many stories behind them.
1. The hacker breach
In the Lake County case, an unauthorized remote user posted a message on the practice's server stating that its contents had been encrypted and could only be accessed with a password. The hackers would give the surgeons the password … in exchange for a ransom. (The docs did not pay--instead they turned off the server and called the police).
The breach affected more than 7,000 patients--putting their names, addresses, Social Security numbers, credit card numbers and certain medical information at risk--according to HHS.
2. The social breach
This is one of those stories that you simply cannot make up: Our own FierceEMR editor, Marla Durben Hirsch, received a phone call from the public relations representative of a Stanford University medical student (that the student has a PR person isn't even the strangest part) who asked her to write an article about how HIPAA was impeding his social life … because he wasn't allowed to post patient information on Facebook or other social media sites.
"Evidently he and other medical students were creating secret identities to bypass HIPAA," Hirsch wrote. "None of these kids should be in medical school."
Indeed, there have been plenty of news stories about social media breaches, although they seem to have slowed in 2012 (unless the violators are just getting better at hiding it).
In one hair-raising story from December 2011, an employee at Providence Holy Cross Medical Center in California posted a picture of a patient's medical record on his Facebook account, saying it was "funny" that the patient "came in to cure her VD and get birth control." When commenters protested, he responded, "People, it's just Facebook. ... It's just a name out of millions and millions of names. If some people can't appreciate my humor, then tough. And if you don't like it, too bad because it's my wall, and I'll post what I want to."
If that doesn't make you sick, go read the story on FierceHealthcare that rounds up some of the worst social media patient privacy violations over the past few years--there are examples that are even more disgusting there.
3. The ghost in the machine breach
I think most patients understand that their medical records contain sensitive information that they don't want everyone and their brother to see. Fewer, perhaps, make the connection that medical records also contain information a thief can use for financial fraud and identity theft--although according to an October report from Verizon, profit is the main motivation for most hackers.
But how many patients know that hospital equipment is riddled with malware that could interfere with operation or change readings? It's happened: The Veteran's Administration reported 173 incidents of security breaches of medical devices from 2009-11 that disrupted glucose monitors, canceled patient appointments and shut down sleep labs.
In this case, old operating systems are often to blame--it's a matter of keeping virus software up-to-date and hospitals are working with vendors to fix that threat. But it's not always possible to patch old systems, which means a big bill to fix this problem will inevitably be coming due.
4. The horror movie breach
That hospital devices are at-risk is bad enough. How many patients know that computerized medical devices that are inside their bodies, such as implanted defibrillators, insulin pumps and thousands of other network-connected devices, are vulnerable to hacking and sabotage?
The threat to implantable medical devices has grown as the devices increasingly go wireless, according to a GAO report. In 2012, information security researchers showed they could successfully manipulate two types of devices.
The idea that a hacker with a laptop could deliver a fatal, 830-volt shock to a pacemaker patient from 50 feet away? Even though no such cases have been reported, that's some serious freak-out level information. - Gienna (@Gienna)