Everybody knows what PII is and how important it is to ALWAYS anonymize case reports before sharing them with any third parties. These legal obligations, however, are not always enough to prevent subsequent data linkage by a determined and motivated researcher. Imagine a hypothetical example, such as this case study everyone with an email account is already familiar with: how much effort it would take to find out the dude’s true identity, knowing his occupation and employer, his sister’s name, and nature of his injuries?
The total number of patient records lost to hackers, other types of IT incidents, and theft, is staggering. In 2015, personal identifiable information of 113,267,174 individuals was affected in total number of 268 incidents. Compliance-driven industry did not stop these incidents from occurring, and did little to increase overall resilience against malicious intrusions and tampering.
“Do not disturb my circles!”
The most famous case of a medical device purposefully altered to prevent targeted attack by terrorists is Dick Cheney’s pacemaker. But there are many other examples of medical devices that are potentially life-threatening, from insulin pumps to patient life functions monitors.
Security Researchers have long warned that the IT security on medical devices is lacking and malware runs ” rampant” in hospital environments. Often, medical software tends to be older and more vulnerable than consumer tech because updating the software might risk running afoul of their Food and Drug Administration approval. ( The Washington Post)
“Sit down and relax while I go there and wet the tea”
Patient records are private for a reason. It is not always the best idea to share medical records, wittingly or not, with representatives of different cultures. Their understanding of the patient’s welfare may be entirely different. (Ransomware)
“That’s not my baby!” (Rise of medical identity theft)
The biggest problem with patient data leaks is that the party most affected by inappropriate handling of medical data is the patient, rather that the owner of the data. So whilst consequences of internal security failure may be financial in nature, as a result of failure to comply, for affected patients such incident can be life-threatening.
How long it will take to start taking patient records and hospital data seriously?