September 5, 1995

1
September 5, 1995 December 16, 2005
We won! -)
2
Hacking health

• RISKS of electronic patient records (EPR)
• The Next Ten Years
• Karin Spaink
• karin_at_spaink.net

3
The Next Ten Years

• six books in three years
• effects of technology
• underexposed subjects
• theory / practice
• 2005 sept EPR
• 2006 mar Gaming
• 2006 oct Web 2.0
• ....

4
Why a book on EPRs?

• no public debate whatsoever about why how
• newspapers press releases, progress reports
  etc.
• policy makers absolute faith in technology
• examine premisses
• re-sensitise the public w.r.t. privacy issues

5
Why EPRs?

• make medical information accessible nation-wide
• all health professionals have the same
  information,
• without time delay or paperwork
• enforce co-operation and sharing
• reduce bureaucracy, increase efficiency
• reduce medical errors
• reduce costs

6

• old situation
• patient records stored in
• various, contained places
• GPs, hospitals, pharma-
• cies and para-medics all
• have their own patient
• information systems
• communication and
• exchange of information
• though EDIFACT, letter
• or phone
• exchanged information
• stored locally again, on
• paper or electronically

7

• projected situation
• patient records stored
• in various open places
• (para-)medics can
• consult data stored
• elsewhere over the
• internet in real time
• National Exchange
• Point will show what
• data is stored where
• data stays where it
• is generated

8
Patients need to be unique

• previous secretary of Health, Els Borst 'We
  will not
• use the social security numer, for obvious
  reasons'
• new government, new climate Civil Service
  Number
• for all citizens will be introduced in 2006
• CSN SSN
• SSN work, taxes welfare
• EN education
• HIN health child / youth care

9
Risks of one overall number

• practical problems
• SSN is not unique
• unwanted / unforeseen / unaccounted linking of
• personal data in various domains
• identity theft
• political problems
• extending the law w.r.t. data linking
• CSN is meant from its inception to assist law
• enforcement investgation

10
Government on CSN

• 'Implementing an overall personal number is
  important to meet the desire to have more means
  available to link data for purposes of law
  enforcement and investigation. Extending the
  legal possibilities to do so is being considered
  within the current European privacy directives.'
• - Kamerstukken II 2002-2003, 28 600 VII nr.
  21, p. 2.

11
Companies on CSN

• 'Companies should be allowed to use the CSN for
  their own purposes and not only to exchange
  information with the government. .. Companies
  will be obliged to use the CSN when they deliver
  information about people the government. Privacy
  laws prevent them from using that same CSN for
  their own administration. According to VNO/NCW,
  this is an unneccessary cost.'
• - VNO/NCW Privacy hindert doelmatigheid, AG 12
  november 2005

12
Introduction of eNIC

• government has been eager to introduce a
  biometric
• electronic national ID card (eNIC)
• 'lack of identity-rich applications'
• summer 2005 Dpt. of Health supplies solution
• eNIC will be used to authenticate patients when
• consulting their own EPR, starting Oct. 2006
• while we have DigID
• but no card readers
• nor is patient access part of EPR programs

13
'Technical' problems re. EPR

• virusses
• Spaarne hospital (March 2005)
• various radiology dpts.
• bugs
• pharmacies (Nat. Health Inspection 19-08-1005)
• data entry errors
• identification, dosage, codes
• Electronic Medication Programs are currently the
  fourth cause of medical errors, while EPR/EMR
  were intended to remedy those

14
Securing patient data

• Dpt. of Health no extra money for new software
  or implementation of EPR
• National Health Inspection no requirements set
  for software ('market must solve it')
• NICTIZ 'responsibility for data and software
  lies
• with health institutes themselves, not with us'
  
• GP's no knowledge / infrastructure
• legacy software (esp. hospitals)
• health care as a sector is not very computer
  savvy

15
Safety was an aftertought, the glacing of the
cake. ('We will add a firewall to protect our
data.') Data security (integrity) is not be the
icing on the cake but part of the backing
process. Safety is the backing soda, part of the
design.
16
Practical part of the project

• negotiations with 3 hospitals 2 agreed to a
  penetration test
• (A) regional hospital providing EPR for GP's,
  revalidation clinic, nursing home
• (B) one of the biggest academic hospitals
• results were shattering we could access 1,2
  million patients records (8 of Dutch population)
• access copy, delete, change

17
insurance number, initials, surname, phone, date
of birth, insurance number, street, zip
code, city 99xxxxxxx,B.,Waxxxxxxxx,05xxxxxxxxx,Ju
l 7 2004 99xxxxxxx,xxxxxxxxstr,11,xxxx
TC,xxxxxxx 01xxxxxxxx,E.J.,Kaxxxx,07xxxxxxxxx,Jan
2 1962 01xxxxxxxx,xxxxxxxxxxxln,30,xxxx
ND,xxxxxxxxx 34xxxxxxx,R.,Bexxxxx,03xxxxxxxxx,Jul
7 2004 34xxxxxxx,xxxxxxxdiep,19,xxxx
NR,xxxxxx 00xxxxxxx,F.M.,Vexxxxxx,06xxxxxxxxx,Jul
13 1979 00xxxxxxx,xxxxxxxxln,46,xxxx
VA,xxxxxx 06xxxxx,N.C.,Boxxxxxx,07xxxxxxxxx,May
18 1994 06xxxxx,xxxxxxxxxstr,3,xxxx
BH,xxxxxx 95xxxxxxx,N.,Baxxxxx,05xxxxxxxxx,Apr 21
1993 95xxxxxxx,xxxxtuin,51,xxxx
ZX,xxx 20xxxxxxx,A.M.,Ogxxxxx,03xxxxxxxxx,May 8
1972 20xxxxxxx,xxxxxxxxxxxxwg,29,xxxx
BT,xxxxxx 81xxxxxxx,D.,Boxxxxxx,03xxxxxxxxx,Jul
8 2004 81xxxxxxx,xxxxxxxxxxwg,23,xxxx
HC,xxxxxx 92xxxxxxxx,E.,Rexxxxxx,03xxxxxxxxx,Jul
8 2004 92xxxxxxxx,xxxxxxstr,16,xxxx VL,xxxxxx
18
patient code, infection, informed by,
notes 10xxx,4,beh.arts,Patient bekend met MRSA
inmidd, 10xxx,2,behandelnd arts,ESBL positief.
bij opname con, 25xxx,4,arts,Tot 05-01-2003 MRSA
verdacht. , 28xxx,4,niet,Mogelijk contact met
MRSA B6 W, 38xxx,4,arts,Tot 05-01-2002 MRSA
verdacht. , 43xxx,4,verpleeghuisarts,Patient is
MRSA positief. Bij , 46xxx,4,behandelend
arts,patient bekend met MRSA. MRSA
, 51xxx,4,huisarts,Strikte isolatie volgens MRSA
, 51xxx,4,niet,Mogelijk contact met MRSA B6
W, 55xxx,4,nog niet,Bij opname in strikte
isolatie, 69xxx,4,behandelend arts,tot 01-07-2003
verdacht van MR, 75xxx,4,Dr. Hxxxxx,Dhr. is
positief voor MRSA, Bi, 76xxx,2,behandelend
arts,Bij opname in contactisolatie., 81xxx,4,arts,
bij opname isolatie op een kamer, 81xxx,4,van
den xxxx neurolo,Bij opname patient isoleren
al, 85xxx,4,,MRSA verdacht tot 12-02-2003.
, 10xxxx,4,xxxxxx Blxxxxx, Dhr. is positief
geweest. Bij , 10xxxx,4,arts,bij opname isolatie
op kamer, 10xxxx,4,hygienist,Bij opname MRSA
protocol, stri, 10xxxx,4,arts,Bij opname
isolatie op een ka, 11xxxx,4,behandeled arts,MRSA
positief. Opname op eigen k,
19
(No Transcript)
20
Secr. of Health about the hack

• 'The privacy of medical data should not be at
  stake. Medical data should not be out in the
  open! Hospitals are responsible for the
  enforcement of safety requirements with respect
  to sensitive data and should take action. That is
  actually not a matter of money, but of internal
  procedures and a proper adminstrative
  organisation.'
• - secr. Hoogervorst in Parliament, Sept. 6 2005

21
On second thoughts...

• Nov. 11, letter to parliament
• implementation of national EPR postponed
• 'security' mentioned 27 times
• NEN 7150 (set of safety rules) becomes
  touchstone
• new committee within Dpt.
• law on medical secrecy might be re-assessed
• Yet
• wrong level hospital A sends sysadmin
• wrong problem 'we have a proper firewall' (AMC)
• wrong solution NEN 7150 far too broad
  (skirthings)

22
Resumé

• technology is hailed as a cure-all
• three huge problems within six months
• (virusses, software bug, hack hospitals)
• improvement of health care dubious
• protection of highly sensitive data severely
  lacking
• EPR is politically abused (law enforcement,
  eNIC)