Add UCLA to the list of health care providers that have been hacked. UCLA says they discovered the hacking last September, but it was not until May that they discovered that the hackers had gotten into the part of the system that stores patient records. Even now they are not sure if the hackers took patient information. One can only assume that is because of a lack of sufficient auditing.
UCLA is saying that 4.5 million patient records, going back to 1990, may be affected. Information taken could include names, birth dates, SSNs and other identifying numbers, diagnoses and procedures. They say that they do not think that payment card and other financial information was taken. Notice that they are not really sure about much other than that bad guys were there.
The data in the database was not encrypted. Some people are beating up UCLA for the lack of encryption and I can certainly join that crowd, but I will point out that encryption is far from a silver bullet. Since authorized users need to be able to read the data, they need to be able to decrypt it. If the hackers appeared to be an authorized user, the system would decrypt the data for them.
In addition, especially with databases, encryption tends to screw up functions like searching.
What I will beat them up for is that the data that was compromised goes back to 1990.
My two cents, for what it is worth, is that if you have not seen the patient in the last 25 years, they are not likely to be a new patient any time soon. It doesn’t mean that you won’t, but it is much less likely.
This is the big data paradox. Just because you can keep it does not mean that you should keep it. If you don’t have it, the bad guys cannot take it. Organizations need to review their data retention requirements and age out unneeded data.
In this case, if you have not seen a patient in 5 years (pick a number), maybe you should archive the data in a different system, only leaving a pointer that the person has been there in the main system. Still, you are likely to have to leave the person’s national ID number – oh wait, the U.S. doesn’t have a national ID number – in the main system. Our course I am being facetious; the social security number has turned into a national ID number. And, in reality, you could only leave an encoded version (hashed) in the main system to reduce the usefulness of that data to a hacker. Using an archive/recall system with the appropriate security measures to recall old data in the unlikely case of needing it would reduce the amount of data available to a hacker.
Why are we seeing so many hacks into health care systems? I have a couple of thoughts. First, unlike a credit card, you cannot cancel your health history. This means, to someone who can use it, the data is valid forever.
Second, healthcare systems have, in general, not spent very much effort or money at securing their systems from hackers.
Third, there are so many people that want access to your healthcare data (providers, insurers, researchers and the government just to name a few) that it is hard to figure out whether someone accessing your data is legit or not.
One more thing. UCLA is offering a year of credit protection for victims of their inability to secure your information. Credit protection does nothing to protect you from the illicit use of your health care information and the tail for use of this information could be 25 years or more, so one year is insufficient. The challenge is that we really don’t know what the hackers will do with this information or how it will affect you, so we don’t know what to do in order to protect you. This is a BIG problem.
One should assume that this qualifies as a HIPAA privacy and security violation, so expect HHS to levy a fine of several million dollars – in 3-5 years.
That being said, healthcare data for over a third of the U.S. population has been stolen in the last year, so we better do something to fix the problem. I promise that it will not be quick, painless or cheap. Sorry.