The Downside of E-Health Records
With all the excitement surrounding <a href="http://www.nextgov.com/nextgov/ng_20090115_8220.php?oref=search">electronic health records</a> in the new administration, including the $19 billion in the stimulus bill set aside to further their adoption, it's easy to forget the potential risks of moving our health information online.
With all the excitement surrounding electronic health records in the new administration, including the $19 billion in the stimulus bill set aside to further their adoption, it's easy to forget the potential risks of moving our health information online.
One striking example of the possible downside came to us on Monday from Wikileaks via the Washington Post's Security Fix blog:
Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.
Wikileaks reports that the Web site for the Virginia Prescription Monitoring Program was defaced last week with a message claiming that the database of prescriptions had been bundled into an encrypted, password-protected file. Wikileaks also printed a copy of the ransom note:
I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.
The state discovered the attack on April 30 and soon after shut down the Web site. They are in the process of restoring the systems but no word yet on whether the attacker has been identified.
The incident serves as a vivid reminder of the dangers of uploading a massive amount of private data without first having the mechanisms in place to ensure it is secure. Even if Virginia manages to restore the systems and recover the lost health records, it's small consolation to the more than 8 million patients whose data is now sitting in the hands of a known criminal. While there is no indication yet who is behind the attack, numerous elements from health marketing organizations to organized crime would be willing to pay good money for such information.
Hopefully the federal government is taking notes from this incident and planning how to prevent a similar breach from occurring at the federal level, especially if they still plan on putting every American's health records online within five years.
NEXT STORY: GSA Sends USA.gov to the Cloud