Links to Information on Health Records and Data Hacking

This page contains links to information on the Internet about health records and data hacking.

The APF does not necessarily endorse or support any of the views or opinions contained in these references; they are provided as an information source so that you can make up your own mind.


Table of Contents

Information on Digital Health initiatives.

Australian Links

International Links

Information on Data Hacks and Leaks

Links to other pages

 


Information on Digital Health initiatives and Associated Privacy Issues

Australian

  • The give and take of public privacy in the big data era
    Privacy means different things to different people. To a lot of public servants and academics, it’s become a barrier to a world of valuable insights and new investigative tools. For others, privacy is a fundamental right shown less and less respect by governments over recent years — except when they are being asked to release their own information.
  • Englishman now in charge of $1 billion digital health records system doctors refuse to use
    THE man who led the dumped UK digital health record system has been put in charge of Australia’s bungled $1 billion e-health record and is being paid as much as the Prime Minister to fix it. Former journalist Tim Kelsey will be paid a total remuneration package worth $522,240 a year, almost the same as Malcolm Turnbull and just shy of the $548,360 paid to the Chief of the Navy and more than the Chief Scientist, the head of the Fair Work Commission and the Inspector General of Taxation, a remuneration tribunal determination reveals.
  • Australian health sector an easy target for cyber criminals, says IBM
    According to IBM’s 2016 Cyber Security Intelligence Index, there has been a clear shift recently in online targets, essentially away from
    credit cards and toward health-related data. IBM has worked with small suburban medical and dental centres in Australia, which have become a particular target for ransomware. Glen Gooding, an executive from IBM’s Security Services (ANZ), said health records were “an important way to extract money by taking on the persona of someone else”.
  • What should a national digital health system look like?
    Back in 2009, when I explored the implications of these structural differences for government, I came to the conclusion that digital health needed a ‘middle out’ governance model, rather than top-down or bottom-up approaches to strategy. One consequence of the thinking in that paper was that I formed a view that we did not need a centralised national summary care record – a view which left me with fewer friends in government than I used to have! I was only trying to be helpful …
  • Government Ignores Flaws In E-Health Push.
    The Federal Government is pushing ahead with mass trials of its My Health Record e-health system despite concerns that fundamental shortcomings are yet to be addressed.
  • Most Australian GP clinics aren’t using e-health records
    Only 300 Australian GP clinics are using the federal government’s electronic health records system on a weekly basis, the Department of Health has revealed, highlighting the uphill battle Canberra faces getting doctors on board with its e-health drive. In a response to questions on notice from the senate community affairs committee, the department shared the disappointing average, recorded between 22 October 2015 and 11 February 2016.
    Australia is home to approximately 28,000 GP medical businesses.
  • Your private health data could be sold for profit
    Experts fear private medical records could be given to insurance providers and pharmaceutical companies. Whether you have a heart condition, diabetes, a rare blood disorder or are in fine health, this is all information which could be potentially turned to profit. And now experts fear your private medical records could soon be available to the highest bidder.
  • Sussan Ley to trial new e-health record for the Fitbit generation
    The government’s new e-health system, which will collate medical records, will also be able to be shared broadly, such as with gym instructors and even third-party companies like Fitbit. (see next link, Medical apps: lifesavers or dangers to health?)
  • Medical apps: lifesavers or dangers to health?
    Researchers around the world are warning that none of the 165,000 available medical apps have been properly tested. (see previous link, Sussan Ley to trial new e-health record for the Fitbit generation)
  • Anonymous GP data can be cracked: warning
    The Privacy Commissioner has sounded a warning shot that companies dealing in “anonymous” prescribing data may nevertheless be revealing doctors’ and patients’ identities. Commissioner Timothy Pilgrim has acknowledged that sophisticated technology is now capable of re-identifying anonymous data, by means such as cross-referencing anonymous data with other data sets. Previously, trading in de-identified data was thought to be relatively safe, as it was not covered by the Privacy Act so could not attract financial penalties.
  • Australian health records fed into big data maw .. because insight
    While it continues to battle public indifference to personally-controlled electronic health records (PCEHRs), the Australian government is quietly looking for bright sparks to put forward ideas on how to use the records for observations.
  • Coroner raises red flag on “ridiculous” e-health system
    The State Coroner has raised serious concerns about the impact of the state’s controversial electronic health records system on his ability to conduct inquests into hospital deaths.
  • e-health: Privatising your medical history
    The Australian Medical Association criticised the intention to allow patients to decide who would access their records and what was included, saying that medical practitioners would be unlikely to rely on the information contained in the records. The organisation considered that records with hidden information would be more dangerous than no records at all. Patients, privacy groups and other organisations were suspicious whether the storage and sharing of personal data would be secure and where and how it would be used at a later date. Would, for example, private health insurance funds have access. Government bureaucracies are notorious for leaks and mishaps with personal records.
  • Risks feared in medical apps
    ”There is an enormous scope for error. The doctor types notes straight into the software. At the same time, thoughts occur to the patient, who voices them, so the GP has to listen to the patient and type in the diagnosis at the same time. ‘Mistakes can be made and missed. So misinformation can remain on a patient record for years, and perhaps might not be discovered until that patient changes GP. This can lead to patient care errors. The source of the misinformation can then be traced back to the originating doctor. It’s an error which can come back to haunt the patient and the clinician alike.”

International

Links to postings on UK’s care.data project

  • GP records soon wide open again: Just walk into a ‘safe haven’ (2014 report)
    The government is preparing to resume its GP patient data-sharing plan, even though its chief scientific advisor admits it can’t guarantee your privacy. The care.data initiative was put on hold in February – but it will shortly resume with two exciting new Orwellian additions to our vocabulary. In theory the GP data is anonymised, but in practice, an individual’s identity can be reconstructed without too much difficulty. In addition, the data is open to all (for a peppercorn fee – PDF). The care.data dissemination programme was put on hold for six months while a “consultation” took place.
  • NHS data sharing: taking stock (Eerke Boiten’s blog. 2014)
    I have written in the last few weeks, on this blog and twice in The Conversation, on the NHS care.data sharing scheme. In terms of the “authoritative” information, the picture has become a bit clearer to me, although the information “out there” is hardly getting any clearer. Mindless accusations such as “NHS selling data to the highest bidder” are still floating about, and on the “other side” even yesterday the BBC was still reporting data was non-identifiable when it is.

Other links

 

  • Nigerian Health ICT Strategic Framework 2015-2020
    Health ICT is more than electronic health records; it is applied across the health system and services to ensure continuity of patient care across time. A Shared Health Record (SHR) enables the collection and storage of electronic health information about individual patients in a centralized repository which is capable of being shared across different healthcare settings.
  • Study: EHRs bloat clerical workload for docs
    For every hour physicians spend in exam room visits with patients, they spend nearly two hours on electronic health record and desk work during office hours, a new study funded by the American Medical Association finds. “This study reveals what many physicians are feeling–data entry and administrative tasks are cutting into the doctor-patient time that is central to medicine and a primary reason many of us became physicians,” AMA Immediate Past President Steven Stack said in a statement. “Unfortunately, these demands are not being reconciled with patient priorities and clinical workflow. Clerical tasks and poorly-designed EHRs have physicians suffering from a growing sense that they are neglecting their patients as they try to keep up with an overload of type-and-click tasks.”
  • PHRs struggling to gain traction and show benefits – review
    “Many of the case study sites had invested in PHRs (Personal Health Records) on the basis that they are ‘a good thing’, but with little evidence of quantified benefits,” a report released this week says. “The lack of a viable business case could slow further developments and make existing PHRs unsustainable.”
  • How to make sure only certified users access patient data
    It can be difficult to prevent authorized users from doing bad things. One way to help thwart threats like this, especially for third-party contractors and consultants, is to have an access certification process. An access certification process is the ongoing review of who has access to what and the risk associated with that access. This validates that authorized and appropriate access rights have been granted.
  • Growing number of endpoints raises healthcare vulnerability
    The risk of criminal access to networks and cyber attacks is rising because of endpoint vulnerabilities, according to results of a recent survey by the Ponemon Institute. The survey has significant implications for healthcare organizations, which have seen increased access to networks and information through the use of many kinds of devices, such as laptops and smartphones.
  • ECRI ranks health IT among the industry’s top safety concerns
    Despite the widespread adoption of EHRs, correctly identifying patients and accurately matching their records continues to be a difficult problem, according to ECRI analysts who discovered that patient identification issues were not only frequent but serious.
  • Hacking Health Care Records Reaches Epidemic Proportions
    “Electronic health records are 100 times more valuable than stolen credit cards,” said James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT). “With credit cards, the money is insured. If the bank is FDIC-backed, most people who have their credit card numbers stolen won’t actually lose the money. The bank makes up the difference,” Scott said. “But with electronic health records, the reason that hospitals and insurance companies are such a big target, first, is because of the payoff.”
  • Healthcare is among highest-profile hack targets
    Healthcare is a big target for hackers because of the richness of medical records for identity theft and other crimes. In fact, a medical record is worth over 16 times more than a credit card record.
  • The Future of Patient Engagement in the Governance of Shared Data
    This opportunity for reflection and consultation with family, friends, and trusted associates (e.g., culture brokers) is critical for two reasons.
    First, it provides patients with education and an opportunity to think through the many issues related to decisions about the use of their personal data. Second, it demonstrates the shared nature of the decision-making that will occur between patients and the members of their care teams. In this way clinicians, researchers, and patients can move forward together in a true spirit of “nothing about me without me.” This clear and present effort to partner with patients rather than act unilaterally on their behalf strengthens the dynamic of patient engagement that will underlie provider-patient relationship in years to come.
  • Clinical Documentation in the 21st Century
    Electronic health records should be leveraged for what they can do to improve care and documentation, including effectively displaying prior information that shows historical information in rich context; supporting critical thinking; enabling efficient and effective documentation; and supporting appropriate and secure sharing of useful and usable information with others, including patients, families, and caregivers. These features are unlikely to be optimized as long as the format and content of clinical documentation are primarily based on coding and other regulatory requirements. Furthermore, under these circumstances, EHRs lose much of their potential to improve care and documentation and instead are relegated to doing nothing that could not be done with paper records—only less efficiently.
  • Sneaky health apps share private information
    MANY diabetes apps collect and share patients’ private information without their knowledge, US researchers warn. An analysis of 211 Android diabetes apps has found 81% don’t have privacy policies. Of the 19% with a privacy policy, most of them state that they share user data with third parties without seeking express permission from the user. Data collected by diabetes apps includes insulin and blood glucose levels, usually captured by tracking cookies. “Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that is generally not the case,” the researchers write in a letter to JAMA.
  • Experts argue the benefits, pitfalls of a unique patient identifier
    Implementing a unique patient identifier would add nothing to our health care system beyond coercive surveillance. It would collect information about us without our consent or even our knowledge, much as the National Security Agency has been doing with telephone records.
  • Health IT mistakes can hurt patient safety
    Despite the potential for health information technology to improve patient outcomes, adverse events associated with the use of health IT can cause extensive harm and are encountered across all healthcare settings. That’s the finding of a new Observations: of electronic health record-related harm in cases submitted to a large database of malpractice suits and claims maintained by CRICO, an evidence-based risk management group of companies owned by the Harvard medical community.
  • Healthcare sector warned to be alert for hack attacks of networks and devices
    For decades, the biggest worry of regulators at the US Food and Drug Administration has been medicines with toxic side effects. Increasingly, however, they are contending with a new danger as the rise of “digital health” makes cyber security potentially a matter of life and death.
  • Thefts of patient medical records starting to add up
    Cybersecurity attacks and data breaches soared during 2015, according to results of the sixth annual report from security firm Redspin on leaks of protected health information. Since 2009, a total of 154,368,781 patient records have been breached, and nearly three-quarters of those records—more than 113 million—were breached in 2015, Redspin noted. Further, 98 percent of patient records breached last year were a result of hacking incidents.
  • Another big health risk that can really hurt you
    One of the biggest threats Americans face this year is with their health — information. The health-care sector fell victim to hackers multiple times in 2015, and the targets included some of its biggest companies: Anthem, Premera Blue Cross and CareFirst BlueCross BlueShield were all hacked last year. In the process, a total of nearly 95 million patient records were exposed. Once inside the databases of health organizations, cyber criminals potentially have access to Americans’ most sensitive personal information, including Social Security numbers, health insurance ID numbers, and even employment and income data.
  • Experts argue the benefits, pitfalls of a unique patient identifier
    Implementing a unique patient identifier would add nothing to our health care system beyond coercive surveillance. It would collect information about us without our consent or even our knowledge, much as the National Security Agency has been doing with telephone records.
  • ‘State snooping’ fears as civil servants are handed new power to examine detail in every sick note given out by GPs A new power allowing civil servants to see the detail in all sick notes handed out by GPs has been branded ‘state snooping’ today. Critics fear that now the Department for Work and Pensions have access to the data from next month it will be used to name and shame surgeries who issue the most ‘fit notes’.
  • Dissecting a health care IT failure
    A new report by IT failures expert and author, Phil Simon, takes a deep analytical dive into a failure at a major hospital system.
  • Six reasons why the NHS National Programme for IT failed
    Like many men, I don’t go to the doctor very often. The last time I did, I was with my GP for 25 minutes: five minutes discussing my symptoms and 20 minutes helping her to understand how to use her new computer system to record my symptoms, her diagnosis and book the next appointment. Together, we experienced a system that was slow, cumbersome, insufficiently explained and poorly implemented.
  • Surgeon: Electronic Health Records Do More Harm Than Good
    Electronic health records are contributing to two major problems: lower quality of care and higher costs,” Singer says, “having to fill out EHRs, which can lead to IT issues, takes his attention away from patients.”
  • The Ethics of Electronic Health Records
    The ownership of EHRs must also respect patient autonomy. Autonomous patients will argue that they are the rightful owners of the intimate information contained in their EHR. As with other types of electronic media, however, the companies that create EHR software or maintain the data storage servers might claim ownership of the data. Similarly, individual health care providers and hospitals might argue for ownership of the information. These obvious conflicts between economic and personal value, professional and patient autonomy, and business interests must be rectified both ethically and legally before EHRs are implemented widely across the health care system.
  • Loss of life, liability top cybersecurity fears for health IT leaders
    Losing patients due to malicious actors gaining access to systems or hacking medical devices is the top fear for healthcare leaders when it comes to cybersecurity, according to the results of a new survey.
  • Electronic Health Records raise new ethical concerns
    Electronic Health Records raise new ethical concernsLoss of privacy is commonly thought of as an “unauthorized disclosure” in which the client’s Protected Health Information (PHI) is released to someone not authorized by the client to receive it, usually by accident such as a misdirected fax or email. But we now commonly hear of breaches of privacy in which thousands of records are lost or compromised by having an unencrypted laptop computer stolen. Such events violate the ethical principles of beneficence and nonmaleficence. Indeed, there are dozens of ways the privacy of the client can be weakened or violated with paper or electronic records but I want to discuss some less obvious risks to our ethical promises.
  • Electronic Medical Record Shift: Signs Of Harm Emerge As Doctors Move From Paper
    One day in March 2009, hospital workers misread small print on a computer screen, causing them to dispense 10 times the prescribed dose of a drug. Result: The patient has a heart attack. Another time, a computer fails to alert doctors and nurses when a patient is moved from intensive care to their ward. Left unattended during the night, the patient suffers seizures for hours.
  • Impact of Electronic Health Record Systems on Information Integrity: Quality and Safety Implications
    While the adoption of electronic health record (EHR) systems promises a number of substantial benefits, including better care and decreased healthcare costs, serious unintended consequences from the implementation of these systems have emerged. Poor EHR system design and improper use can cause EHR-related errors that jeopardize the integrity of the information in the EHR, leading to errors that endanger patient safety or decrease the quality of care. These unintended consequences also may increase fraud and abuse and can have serious legal implications.

Top


Data Hacks and Leaks

The following are links to reports on data leaks, problems and hacks, the latter being incidents where data have been inappropriately accessed, stolen and/or leaked to criminals and others with dubious intentions. These reports include incidents involving health and other data and they indicate the vulnerability of large databases attached to the internet, and sometimes, not even on the internet as in the cases of the Edward Snowden and Chelsea (Bradley) Manning leaks.

In our opinion, you should never collect health and personal information unless it is absolutely necessary and has a major benefit. An opt-out My Health Record system would collect data on many Australians that was of no health care value but which was at high risk of being hacked.

  • Quest Diagnostics says personal health information of 34,000 customers hacked
    Medical laboratory operator Quest Diagnostics Inc. says a hack of an internet application on its network has exposed the personal health information of about 34,000 people. The Madison, New Jersey-based company says “an unauthorized third party” on Nov. 26 gained access to customer information including names, dates of birth, lab results and in some instances, telephone numbers.
  • Australia’s biggest data breach sees 1.3m records leaked
    More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date. A 1.74 GB file containing 1.28 million donor records going back to 2010, published to a publicly-facing website, was discovered by an anonymous source and sent to security expert and operator of haveibeenpwned.com Troy Hunt.
  • Service provider IDs unmasked in open health data, investigation underway
    The Department of Health has removed a set of Pharmaceutical Benefits Scheme and Medicare data from the federal open portal after computer security experts were able to decrypt the health service provider identification numbers it contained. Information commissioner Timothy Pilgrim has been informed and is investigating the matter as well as “providing independent oversight” says the department, which announced the decision this morning.
  • ICIT report outlines ways breaches can ruin patients’ lives
    Healthcare executives’ “lackadaisical approach” to cybersecurity endangers the lives and futures of breach victims, who have little help or recourse for dealing with identity theft, according to a new report from the Institute for Critical Infrastructure Technology. It looks at how healthcare information is exploited on the Dark Web, with the data often being sold multiple times. Such information also can continue to be sold for the rest of the victim’s life, the authors say in their tersely worded report, adding that “for some, such as children, this can drastically hinder their future financial stability and limit the potential lives that they could lead.”
  • SA Health workers sacked for breaching privacy
    Three SA Health employees have lost their jobs for breaking privacy rules protecting patient records.
  • Crooks Steal, Sell Verizon Enterprise Customer Data
    Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned. Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.