HIPAA tried to address it, HITRUST and HITECH are the newest entrants into the mix, but health care is just he latest example of an industry’s information technology significantly outpacing its ability to secure it. If you’ve heard me speak on where I think the next big area that hackers will go after, you’ve heard some stories about what I would do if I were the bad guy.
Last week I had a routine doctor checkup, and I watched my doctor type in a four digit password to access all of my records (and presumably any record in the practice). Any security professional reading this has had a similar experience with someone in authority accessing data with weak credentials, and like some of them I decided to write a letter to my provider explaining the issue. I mailed the letter on Friday, so I probably won’t hear back for a week or so, but I wanted to include the text of the letter here in case any of you want to use it as a template for writing your own letter.
Dear Dr. Spaceman,
I’m writing you today with a concern of a personal nature. I look forward to a response on this issue.
I have serious concerns on the security and confidentiality of my personal medical history and the data that you store on my family and me. As a security professional by nature, I believe the next frontier of identity theft will target healthcare providers—specifically ones in affluent areas with established practices.
During my visit today, I observed you entering a four digit password to access all of my records. As a doctor participating in the practice, I can only assume that the same four digit password also grants you access to every file on every patient with data in SOFTWARE, your physician management software.
I am shocked at the lack of care performed by your practice with patient data. A four digit password to protect data is unacceptable at best, and grossly negligent at worst. Breaking a password of this strength is trivial, and should not be considered an acceptable way to protect the patient data entrusted to you.
According to the Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996, custodians of ePHI must take care protecting and securing access to this data, including unique usernames and passwords and sufficiently complex passwords for authorized users (§164.308.a.5)(A). Understanding that speed and usability are important to patient care, the best solution to boost the security is to add a second element to the authentication, such as an RSA SecurID One Time Password Token, or a biometric reader to read a thumb or finger print. This prevents you from needing to remember long, complex passwords that would be changed monthly or quarterly. My guess is that there are many other elements of the Security rule that you may not be aware of, thus you should have a thorough security analysis of your business performed by a qualified individual.
Please review the information above and provide corrective actions that your practice will take to ensure my personal data remains secure and confidential. I have not filed a HIPAA complaint and would prefer to see this resolved directly by your practice. Feel free to contact me if you have any additional questions or if I can help clarify the severity of this situation in any way.
I will post updates as I get them from my particular provider. When you go to your next doctor appointment, pay attention to how they protect your data. See if you can make constructive recommendations to help your providers, and be sure you have them purge any data they don’t need. For example, most providers don’t need to have your social security number, yet they routinely ask for it and we write it down almost by reflex. Ultimately, let’s help this community understand the risk and protect our data so they can focus on what means the most, superior patient care.
Possibly Related Posts:
- Let’s Encrypt for non-webservers
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC