Monday, March 29, 2010

A Look into the HHS Posts Data Breach Notifications

I poked around the Data Breach Notifications that are posted on the HHS site.  I parsed and sorted the data and it is clear there is far more to fear in the old fashioned physical theft than anything else.
  • There are only 3 entries that are hacking. Resulting in a little over 12k patients exposed.
  • There are only 7 entries that are ‘unauthorized access’, which I assume means that someone was given access under a liberal access control policy but were caught accessing records they should not be. Such as a VIP, which given how few VIPs there are these would not be reported. So the access are more like the Coral Gables couple. These 7 entries resulted in 37k patients exposed
  • Where as there are 11 entries that seem to indicate human error, resulting in 103k patients exposed. I included in this group the ‘loss’ and ‘other’. Given the other information this seemed like the right thing to do with these.
  • And Good-Old-Fashioned physical theft account for 31 entries and 1 Million patients exposed
    • 23 of these look like they could be just theft of some technology to be pawned.
    • Which leaves 8 entries that the theft is of paper, backup tapes, CDs… clearly after the data 
    • 2 of the 31 entries are network servers, the rest are portable devices, laptops, or desktops (which I assume were out in the open).
Applying hard-drive encryption to the portable devices, laptops, and exposed desktops would have prevented 29 of these entries from needing to be reported and a Million patients would not have needed to be notified and worry about the result. The theory is that by encrypting these hard-drives the data would have been un-usable without access to the encryption keys. The presumption here is that the key is not pasted to the laptop with a post-it note. As I said above, I suspect that the majority of these physical thefts are people simply looking to pawn the technology. See Encryption is mandatory.

It is amazing what I can draw from simple data. I could be 100% wrong. I am not a professional statistician nor do I play one on TV. It is interesting that this is data before the Meaningful Use, HIE and NHIN push. It will be interesting (I hope not) to see what these statistics look in 2015.

Update: Nice graphical representation of these breach stats:

Tuesday, March 23, 2010

E-health security a problem at Vancouver Coastal Health Authority

Today a news release was the topic of Bruce Schneier blog, the news release was about a recently released Security Audit report on the Vancouver Coastal Health Authority. The report was withheld from the public for 6 months so that the worse of the issues could be resolved, I can only assume they were. It is no surprise that Bruce liked the report and wished that others, pointedly the USA should do the same. On this topic I can report that some healthcare providers and HIE do actually do this; but I suspect not enough. I am absolutely confident that healthcare networks are far better secured than they were 10 years ago when it was common for a hospital to have absolutely no firewall at their boundary to the internet. Progress, but we must always push for more progress.

I have a few observations on this specific report. It is only 37 pages long, and quite readable. Within the 37 pages is an executive summary, response by VCHA, and a slightly detailed report. The report looks very official and is proud to declare that they used the ISO/IEC 27001 and ISO/IEC 27002. These are motherhood and apple-pie to a security expert, but they are mostly specifications that a consultant can build a business around. The group of Auditors are clearly general IT security auditors as they totally missed the Healthcare specialization in ISO/IEC 27799, they did not consider Patient-Safety, they did not consider Medical Records Retention Regulations, they did not consider legitimate secondary use, they did not consider legally mandated access such as a court order. I do note that the VCHA response DOES recognize the need to protect patient safety, although at that point it seems like a straw argument. Then I get to the end and they have two pages of glossary terms ALL referenced to Webopedia and/or Wickipedia.

The main problem that was found was that there was an utter lack of POLICIES. This is step ONE. Without Policies it is imposible to secure anything. An anonymous source tells me that "B.C. really rushed their EHR project, had some really ridiculously short timelines. This seems to be the result of extreme fast-tracking; everything except for getting the thing working was brushed aside, with a "we'll get to it later", and then they didn't." Those of us that work in Interoperability and Technical Standards harp on this day and night. In HITSP we wrote a Technical Note (TN900) totally dedicated to this ONE thing that must be done FIRST. IHE also has many of these including in their white paper on Security/Privacy in an HIE. Without Policies I am not sure why they even continued with the Audit, everything else can't be declared out-of-policy.

Knowing that there are no Policies, it is hard to argue that the Identity and Access Management was poor, although there are plenty of observations about how poor they were. Some of these are hard to argue with, but other practices could be legitimate. The fact that accounts are not immediately disabled, which would be general IT security best practice, could be legitimate as health professionals often move around within the same community sometimes as a consultant, sometimes as an employee, sometimes as a third party, sometimes as a defendant. The fact that users are not segmented into special roles is a recognition (a) healthcare providers tend to have many roles covering a range of responsibilities, (b) healthcare providers tend to do what ever they can to help patients often going above their defined role, (c) one organizations definitions of roles is very likely NOT the same as another organization, and (d) no one actually has knowledge of who really has a need-to-know and who doesn't (many have tried and failed). Thus everyone that should see patient data is given the single role that gives everyone rights to see patient data. All other roles are considered unnecessary. This might not be a good policy, but lacking policy this is what will prevail. Policies are to blame. It is not uncommon for Healthcare to use a rather liberal policy for Access Control that gives access to anyone that might have a reasonable need; but this is tempered by Policy that instructs them to behave correct; AND audit logs are regularly analyzed to detect abuse and punish according to the Policy.

Records retentions in healthcare is not the simple world of general IT records retention. The rules of Medical Records Management prevail here, not the typical rules of IT. Who are the Auditors to determine that something is irrelevant? Who are they to determine that the expiration of the records is not mandated by regulation, it is common for medical records retention rules to require Life + 3 years. Most choose to keep all data online because they really don't know when a patient has Died, there are no regulations that require ALL healthcare providers to be notified when a human dies. Plus the data might legitimately be allowed for research use. Again, lack of Policies make this Audit measurement irrelevant.

Last but not least is the observation that there was no monitoring of the audit logs. Not even the general IT security log monitoring to detect intrusions and such. I push Audit Logging as the next thing beyond hardening, because post-analysis of behavior can detect abuse and swift reaction to abuse can shutdown future bad behavior. This is not the best approach, but given that the problems listed above around access controls and identity management are not going away, audit controls can at least be used. There are very well documented cases where this has worked: Octuplets, U of Iowa , St Vincent, Governor of Michigan, etc. And they are critical to enable the Accounting of Disclosures.

Wednesday, March 17, 2010

The meaning of Opt-Out

Opt-Out means different things to different people/organizations, and with good reason. An article "Patients' medical records go online without consent" explains that in the UK:
Patients’ confidential medical records are being placed on a controversial NHS database without their knowledge, doctors’ leaders have warned.
It then does a good job of explaining that there is a way for patients to 'opt-out', but that this system requires that the patient take the initiative and either call a specific phone number, or use the internet. The patients receive a letter prior to their data being entered into the NHS system. Thus the NHS system is based on implied-consent. 

In one week, the article has accumulated 50 comments. All but 2 of the comments are very strongly against this implied-consent model. Most of the comments against are focused on two specific concerns
  1. The government will have access to the data and thus ultimately they will do bad things. This is the typical concern about the government having access to too much information. I think that in this case the data is already available to the government through other means, it is the doctors that can't use these 'other means', especially during urgent times. So, although I sympathize with this concern and do have this concern myself; I don't think that it is a high priority concern.  I would like to see strong policies that explain that medical data in a health information exchange (HIE) can only be used for treatment or explicitly approved uses. All the 'legal' exceptions should be kept out of an HIE, there are plenty of ways that these legal exceptions can be executed without using the HIE.
  2. Hackers will eventually will gain access to the data. I have no doubt that hackers will eventually gain access. I don't say this because I want it to happen, or because I know of problems; but rather acknowledgment of history. This acknowledgment is similar to the fact that risks are never eliminated. We know that all kinds of risks, no matter how small, happen. As many safety features as we put into a car, crashes still happen and occupants still get killed. We do what ever we can to lower these risk, but they don't go away.
That said, we need to recognize that Opt-Out means different things to different people or organizations, and for good reason. The biggest reason for a difference is related to a complete medical history. Many people want to Opt-Out in their younger years when they are healthy and when they are worried about personal-relationships and employment. When they are young and healthy they truly do NOT want the data to be gathered together, because they are worried about (1) and (2); yet perceive no benefit to the data being gathered together.

The problem is that as they grow old they start to realize that they don't have perfect health anymore. It is when health starts to fail, when little things start to happen, that a complete medical history is important to the best care. If Opt-Out really means don't gather my data together, then Opt-In late in life provides no benefit to the patient as there is no medical history. 

Thus many health care providing organizations see Opt-Out not as a valve on the input, but a valve on the output. Meaning that as patient data is created it is gathered, yet if the patient has used Opt-Out then the data is not allowed to be used. Thus when the patient gets old and decides to Opt-In their complete medical history is available instantly.

Note that BOTH models can be supported by Consent standards. 
See also: Consent standards are not just for consent, Consumer Preferences and the ConsumerRHIO: 100,000 Give Consent.

Another model is one where the Consent is not just In or Out; but where some information is gathered but not other data. The standards can certainly support a patient authorizing 'medical summary only'. This model provides the most useful medical data in Current: Allergies, Problems, and Medications. But it does not provide a medical history. This data is most useful to treatment, and is least useful to (1) and (2). It is not clear to me if this is the NHS model, but the article does seem to imply that only a medical summary is being pushed into the NHS. See:Opt-In, Opt-Out.... Don't publish THAT!,

Thursday, March 11, 2010

Consent standards are not just for consent

As we have been building the Privacy Consent standards I am always mindful of some extra usecases that this concept could enable and thus I am always pushing for the standards to support it.

The basic Privacy Consent could get away with simply supporting a Healthcare Provider to get an acknowledgment from the Patient fulfilling the HIPAA Consent requirements. This is a very low bar, and indeed would not require anything as HIPAA sets up an implied consent environment. This Implied consent environment states that the Healthcare Provider needs to publish their Privacy Policy, and that if the patient didn't like the conditions of the published Privacy Policy they can find a Healthcare Provider that has a Privacy Policy that meets their needs. Meaning that by the Patient choosing to be treated at that Healthcare Provider they are 'implicitly' agreeing to the posted Privacy Policy.   In this environment, we need at best an OPT-OUT policy to indicate that the Patient has changed their mind and nolonger wants that data shared according to the posted Privacy Policy. The meaning of this OPT-OUT policy would have also been spelled out in the posted Privacy Policy, so limited effectivity.

We know that there are states that require more than this. So we require that the Privacy Consent standards need to support OPT-IN environments, where the Patient must show evidence that they agree with the Privacy Policy. We need to support OPT-IN environments, where there are limits on how long the data can be used (e.g. for the specific episode of care and no longer). We need to support OPT-IN into a special-case sharing environment, such as a referral to a specialist. Etc.. These are all examples of the kinds of Privacy Policies typically seen as "Consent".

The case that HITSP was most reciently working on is a case where a Privacy Policy "Preference" is published by the Patient. Thus they have a mechanism to publish what they would 'like' to have done with their data. This is a self-declaration, and thus is not really a Privacy Consent as there is no data holder that is agreeing to the policy. But it is an important thing that must be able to be communicated. In this way any future Privacy Consent policies can be partially automated or pre-populated with the portions of the patients Privacy Policy "Preferences". Thus getting closer to what the Patient really wants.

The special cases that I am thinking of are those that go beyond treatment. In an article about the HIT Policy Committees discussions "Panel Weighs Strategies for Balancing Health IT Privacy, Research Goals", there is mention from Don Detmer asking for support that would allow a Patient to explicitly allow data to flow to Researchers. Unfortunately Jodi Daniel is quoted as saying that this would be "difficult". The idea is that some patients are very interested in advancing medicine by donating their information. Some are like John Halamka and donate not only their whole health history but also their Gene sequence. I know that my Mother would love if people could learn something from her medical history, as am I. These kind of people would love for the research to help them, but are more interested in contributing to medical advances.

Although I want the Patient Privacy Policy (Consent) to advance step at a time, going for 'good enough' and not waiting for 'perfection'. I think that what we have today can support quite a few use-cases without much difficulty. These standards are not perfect by any means, but we need to use them. See also: . Consumer Preferences and the Consumer, Opt-In, Opt-Out.... Don't publish THAT!, RHIO: 100,000 Give Consent.

Wednesday, March 10, 2010

FYI: NHIN University - Spring is focused on architecture and security

The NeHC is going to be putting on free webinars to educate on the NHIN architecture. The Spring seems to be focused on Security. Looks like it might be educational. I have confidence in those that are signed up to 'teach'. To register for NHIN University, sign up at

NHIN University - Spring Semester 2010
Class Schedule

The inaugural semester of NHIN University will feature a series of FREE webinars intended to provide stakeholders with foundational knowledge about what the NHIN is, how it works, and the vital trust fabric that underpins the safe and secure exchange of health information over the Internet.
NHIN 101 - An Introduction to the Nationwide Health Information Network
  • February 22, 2010
NHIN 102 - Secure and Meaningful Exchange of Health Information over the Internet
NHIN 103 - Architectures for Health Information Exchange and their Use
  • Mid-April 2010
  • Faculty: Richard Kernan, NHIN Specification Lead (Contractor), ONC
NHIN 104 - The Trust Fabric of the NHIN: Making Exchange a Good Choice
  • Mid-May 2010

Coral Gables couple again accused of stealing, selling patient records

Who needs vulnerabilities in the technology when a simple bribe will get you want you want. All the technology that I speak about on this blog, and all the policy that is written and implemented can't stop humans. The good news is  they got caught, the bad news is that this is the second time they got caught. Seems the first time should have been enough.
A Coral Gables couple are indicted a second time on charges of stealing the private records of patients to sell to lawyers for personal-injury claims. Last year, they were charged with running a racket to pilfer patient records from Jackson Memorial Hospital to sell to lawyers for personal-injury claims.

Now Ruben E. Rodriguez and wife Maria Victoria Suarez have been indicted again for paying an ambulance-company employee to steal information on patients transported to Miami-Dade hospitals and healthcare clinics. That theft scheme dates all the way back to 1995, according to an indictment filed last week.  More

Monday, March 1, 2010

OASIS: Making Privacy Operational - Output

I had posted about OASIS: Making Privacy Operational. The audio recording of the webinar is available as is the presentation that was given. I was very impressed with how well they seemed to understand the complexity of Privacy. I think it would be good to dig deeper and help this effort. Healthcare specific Privacy is important, but we must recognize that ultimately the Healthcare privacy must fit within a more general purpose privacy framework.
Thank you for attending the recent OASIS webinar entitled “Making Privacy Operational”. The recorded version is now available at:    

Feel free to distribute these links to others who are interested in the operational aspects of privacy management.

As you know from the webinar, our objective is to create a new OASIS Technical Committee entitled the Privacy Management Reference Model TC, based on the donated PMRM from the ISTPA (

 The PMRM is intended to serve as a template for developing operational solutions to privacy issues, as an analytical tool for assessing the completeness of proposed solutions, and as the basis for establishing categories and groupings of privacy management controls. The Reference Model will not be a “specification” in the formal sense, but is intended to be used as the basis for an implementation standard, which would be developed independently. Comprehensive Use Cases will be solicited and developed in several areas to test the completeness and robustness of the Reference Model.

As a member of OASIS, would you and your organization consider being listed as an initial “proposer” in the charter of the TC? As noted in the webinar, we already have ISTPA, NIST, ABA, CA and several individual members as ‘proposers’. The proposer designation does not commit you to any explicit work effort, but rather shows your support for the objectives of the TC (summarized above and in the webinar) and the assumption that you will follow the progress of the TC. Of course, we will welcome any and all active participants in the TC, since privacy management issues affect all individuals, corporations, and business sectors. 

If “YES”, simply e-mail me at with your contact information and corporate affiliation.

Michael Willett and John Sabo