Health exchange privacy concerns overblown, experts say

With convenience comes risk -- and too much of it when it comes to patient privacy in health care, says Danny Lieberman, CTO of Software Associates, a software security consultancy in Israel, and a founder of Pathcare, a private social network for physicians and patients.

The risk factor, he said, is Health Information Exchanges (HIEs), required under the Patient Protection and Affordable Care Act, which are designed to enable the sharing of electronic health records by physicians and other health care providers.

The goals of such a system are efficiency and accuracy of data. But Lieberman contended in a post last week on both Pathcare and Infosec Island, where he is a long-time contributor, that "a U.S. national HIE network will be the death of patient privacy."

Such a network will be highly vulnerable to malicious attacks, he said, largely for two reasons: "[A] huge, unmitigated threat surface of transactions that are transported inside health care organizations and between healthcare business units using message queuing technology," and the fact that Microsoft is "a near-monopoly controlling the overwhelming majority of systems."

"Since everyone is using the same technologies and the same HIPAA (Health Insurance Portability and Accountability Act) compliance checklist -- life is sweet for attackers -- who know exactly what vulnerabilities everyone has," Lieberman quotes a friend saying.

[See also: 6 ways we gave up our privacy]

Lieberman told CSO Online that the goals of the law are fine, but that its execution is the problem. "The Obama administration has given states until 2014 to implement HIE systems," he said. "Otherwise, the federal government will implement a national HIE."

"So what is worse -- a bunch of state systems strung loosely together with bailing wire or a federally-run system? Neither alternative is attractive from a data security perspective," he said.

But Lieberman's fellow information security experts do not all share his sense of impending doom. Some of them say he is overreacting, and is basing his argument on conditions that existed about a decade ago, but which have improved since then.

Lieberman's major focus is the technology of exchanges, which he said is being modeled on the retail industry supply chain. "A highly connected stem of networked message queues is a convenient and vulnerable entry point from which to launch attacks; these attacks can and do cascade. If these attacks cascade, the entire healthcare system will crash."

Jody Westby, CEO of Global Cyber Risk, said Lieberman's asess was too much "gloom and doom," although she, like others, acknowledges there is no such thing as 100% security.

"But everyone will not be using the same technologies or have the same system configurations," she said. "There are already health information exchange networks -- the network that enables the insurance companies to see claim information. The one proposed is a bigger concept, but along the same lines."

Westby said: "Attacks will happen and security is a significant part of the HIEs, but the picture (Lieberman) paints is a parade of horribles that is not fully fleshed out and is too broadly stated."

Randy Sabett, an attorney with ZwillGen and an information security expert said Lieberman is "making two major assumptions that aren't necessarily well supported."

The fact that a highly connected system is designed for ease of use and is based on a common technology, "doesn't necessarily lead to the conclusion that there will be cascade failures. It will fail only if it is not well designed," he said.

Sabett, citing Microsoft's Trustworthy Computing initiative along with general security awareness in both government and enterprise, believes the design will be much better than it would have been even two or three years ago. "With HIEs, you know security is going to be a big deal," he said. "And HIPAA is requiring that all this data is going to be encrypted."

Rebecca Herold, an information security privacy and compliance consultant, said the development of exchanges does mean increased risk, but agreed with Westby and Sabett that the design of the systems can tackle those risks.

"If the HIEs are thoughtfully and responsibly architected and implemented there will be no cascade of privacy failures," Herold said. "The key is to build them right, with appropriate security and privacy controls, standards and policies, from the very beginning."

Herold, like most experts, said the protection of patient privacy would take more than technology. Besides strong security controls, exchanges must "provide training to ensure their workers know how to protect the information that they work with."

But Lieberman is not about to back down from his warnings. "A lot of the HIE technology is not state of the art," he said. "A person who is in charge of one of the biggest state HIEs in the U.S. told me, 'I don't see why SOA (service oriented architecture) is relevant and I don't believe in cloud computing.'"

And he said the Microsoft "monoculture" in systems and software is worse now than it was in 2003, when a group of security experts wrote a paper []titled: "CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Poses a Risk to Security."

"Even if they did use state-of-the-art technology, the threat surface of systems with a lot of PHI in a network of interconnected systems is very big," he said.

Lieberman adds that encryption is not a guarantee against data loss. "The HIPAA Security rule requires transmission security - encrypting data in motion - but is vague regarding encrypting data at rest. So even if you encrypt data in motion between two HIEs, once the data hits the HIE premises, there are probably dozens of attacker entry points to get at the data in clear text."

Lieberman said he has a better idea than the current model, which will focus on, "a vendor-neutral, standards-based approach for exchanging healthcare information between patients and providers that will not involve intermediate message buffering and switching."

Details of that, he said, will come in a later post.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts