September 5, 1995 – December 16, 2005

We won! :-)

Hacking health

RISKS of electronic patient records (EPR)

The Next Ten Years

Karin Spaink

karin@spaink.net

The Next Ten Years

• six books in three years• effects of technology• underexposed subjects• theory / practice • 2005 sept: EPR• 2006 mar: Gaming• 2006 oct: Web 2.0• ....

Why a book on EPRs?

• no public debate whatsoever about why & how• newspapers: press releases, progress reports etc.• policy makers: absolute faith in technology

• examine premisses• re-sensitise the public w.r.t. privacy issues

Why EPRs?

• make medical information accessible nation-wide• all health professionals have the same information,• without time delay or paperwork• enforce co-operation and sharing

• reduce bureaucracy, increase efficiency• reduce medical errors• reduce costs

old situation

• patient records stored in various, contained places• GPs, hospitals, pharma- cies and para-medics all have their own patient information systems • communication and exchange of information though EDIFACT, letter or phone• exchanged information stored locally again, on paper or electronically

projected situation

• patient records stored in various open places• (para-)medics can consult data stored elsewhere over the internet in real time• National Exchange Point will show what data is stored where• data stays where it is generated

Patients need to be unique

• previous secretary of Health, Els Borst: 'We will not use the social security numer, for obvious reasons'• new government, new climate: Civil Service Number for all citizens will be introduced in 2006• CSN = SSN

SSN: work, taxes + welfare EN: education HIN: health + child / youth care

Risks of one overall number

practical problems:• SSN is not unique• unwanted / unforeseen / unaccounted linking of personal data in various domains• identity theft

political problems:• extending the law w.r.t. data linking• CSN is meant from its inception to assist law enforcement & investgation

Government on CSN

'Implementing an overall personal number is important to meet the desire to have more means available to link data for purposes of law enforcement and investigation. Extending the legal possibilities to do so is being considered within the current European privacy directives.'

- Kamerstukken II 2002-2003, 28 600 VII nr. 21, p. 2.

Companies on CSN

'Companies should be allowed to use the CSN for their own purposes and not only to exchange information with the government. [..] Companies will be obliged to use the CSN when they deliver information about people the government. Privacy laws prevent them from using that same CSN for their own administration. According to VNO/NCW, this is an unneccessary cost.'

- VNO/NCW: Privacy hindert doelmatigheid, AG 12 november 2005

Introduction of eNIC

• government has been eager to introduce a biometric electronic national ID card (eNIC)• 'lack of identity-rich applications'

• summer 2005: Dpt. of Health supplies solution: eNIC will be used to authenticate patients when consulting their own EPR, starting Oct. 2006

while we have DigID but no card readers nor is patient access part of EPR programs

'Technical' problems re. EPR

• virusses: Spaarne hospital (March 2005) various radiology dpts.

• bugs: pharmacies (Nat. Health Inspection 19-08-1005)

• data entry errors: identification, dosage, codes Electronic Medication Programs are currently the

fourth cause of medical errors, while EPR/EMR were intended to remedy those

Securing patient data

• Dpt. of Health: no extra money for new software or implementation of EPR

• National Health Inspection: no requirements set for software ('market must solve it')

• NICTIZ: 'responsibility for data and software lies with health institutes themselves, not with us' • GP's: no knowledge / infrastructure• legacy software (esp. hospitals)• health care as a sector is not very computer savvy

Safety was an aftertought, the glacing of the cake. ('We will add a firewall to protect our data.')

Data security (integrity) is not be the icing on the cake but part of the backing process. Safety is the backing soda, part of the design.

Practical part of the project

• negotiations with 3 hospitals; 2 agreed to a penetration test

(A) regional hospital providing EPR for GP's, revalidation clinic, nursing home

(B) one of the biggest academic hospitals• results were shattering: we could access 1,2 million

patients records (8% of Dutch population)• access = copy, delete, change

insurance number, initials, surname, phone, date of birth, insurance number, street, zip code, city

99xxxxxxx,B.,Waxxxxxxxx,05xxxxxxxxx,Jul 7 2004 99xxxxxxx,xxxxxxxxstr,11,xxxx TC,xxxxxxx01xxxxxxxx,E.J.,Kaxxxx,07xxxxxxxxx,Jan 2 1962 01xxxxxxxx,xxxxxxxxxxxln,30,xxxx ND,xxxxxxxxx34xxxxxxx,R.,Bexxxxx,03xxxxxxxxx,Jul 7 2004 34xxxxxxx,xxxxxxxdiep,19,xxxx NR,xxxxxx00xxxxxxx,F.M.,Vexxxxxx,06xxxxxxxxx,Jul 13 1979 00xxxxxxx,xxxxxxxxln,46,xxxx VA,xxxxxx06xxxxx,N.C.,Boxxxxxx,07xxxxxxxxx,May 18 1994 06xxxxx,xxxxxxxxxstr,3,xxxx BH,xxxxxx95xxxxxxx,N.,Baxxxxx,05xxxxxxxxx,Apr 21 1993 95xxxxxxx,xxxxtuin,51,xxxx ZX,xxx20xxxxxxx,A.M.,Ogxxxxx,03xxxxxxxxx,May 8 1972 20xxxxxxx,xxxxxxxxxxxxwg,29,xxxx BT,xxxxxx81xxxxxxx,D.,Boxxxxxx,03xxxxxxxxx,Jul 8 2004 81xxxxxxx,xxxxxxxxxxwg,23,xxxx HC,xxxxxx92xxxxxxxx,E.,Rexxxxxx,03xxxxxxxxx,Jul 8 2004 92xxxxxxxx,xxxxxxstr,16,xxxx VL,xxxxxx

patient code, infection, informed by, notes

10xxx,4,beh.arts,Patient bekend met MRSA inmidd,10xxx,2,behandelnd arts,ESBL positief. bij opname: con,25xxx,4,arts,Tot 05-01-2003 MRSA verdacht. ,28xxx,4,niet,Mogelijk contact met MRSA B6 W,38xxx,4,arts,Tot 05-01-2002 MRSA verdacht. ,43xxx,4,verpleeghuisarts,Patient is MRSA positief. Bij ,46xxx,4,behandelend arts,patient bekend met MRSA. MRSA ,51xxx,4,huisarts,Strikte isolatie volgens MRSA ,51xxx,4,niet,Mogelijk contact met MRSA B6 W,55xxx,4,nog niet,Bij opname in strikte isolatie,69xxx,4,behandelend arts,tot 01-07-2003 verdacht van MR,75xxx,4,Dr. Hxxxxx,Dhr. is positief voor MRSA, Bi,76xxx,2,behandelend arts,Bij opname in contactisolatie.,81xxx,4,arts,bij opname: isolatie op een kamer,81xxx,4,van den xxxx neurolo,Bij opname patient isoleren al,85xxx,4,,MRSA verdacht tot 12-02-2003. ,10xxxx,4,xxxxxx Blxxxxx, Dhr. is positief geweest. Bij ,10xxxx,4,arts,bij opname: isolatie op kamer,10xxxx,4,hygienist,Bij opname MRSA protocol, stri,10xxxx,4,arts,Bij opname: isolatie op een ka,11xxxx,4,behandeled arts,MRSA positief. Opname op eigen k,

Secr. of Health about the hack

'The privacy of medical data should not be at stake. Medical data should not be out in the open! Hospitals are responsible for the enforcement of safety requirements with respect to sensitive data and should take action. That is actually not a matter of money, but of internal procedures and a proper adminstrative organisation.'

- secr. Hoogervorst in Parliament, Sept. 6 2005

On second thoughts...

Nov. 11, letter to parliament:• implementation of national EPR postponed• 'security' mentioned 27 times• NEN 7150 (set of safety rules) becomes touchstone• new committee within Dpt.• law on medical secrecy might be re-assessed

Yet: • wrong level: hospital A sends sysadmin• wrong problem: 'we have a proper firewall' (AMC)• wrong solution: NEN 7150 far too broad (skirthings)

Resumé

• technology is hailed as a cure-all• three huge problems within six months• (virusses, software bug, hack hospitals)• improvement of health care dubious• protection of highly sensitive data severely lacking• EPR is politically abused (law enforcement, eNIC)