[Apologies for the dearth of Politech messages recently. I've been on
vacation in Nova Scotia (and, next week, Prince Edward Island). I'm
slowly catching up. --Declan]
-------- Original Message --------
Subject: Hospitals hacked - over 1.2 million patient records retrieved -
risks of national EPR database
Date: Fri, 09 Sep 2005 16:46:49 +0200
From: Karin Spaink <karin@private>
To: Declan McCullagh <declan@private>
In a hack of two hospitals, computer security experts of ITSX
<www.itsx.com>, Fox-IT <www.fox-it.nl> and Madison Gurkha
<www.madison-gurkha.com> retrieved over 1.2 million electronic
patient records, i.e. the medical records of 8% of the entire Dutch
population. The hospitals had agreed to the test on condition that
their names would not be revealed.
One of the hospitals involved has developed a regional electronic
patient database in which a number of hospitals and general
practioners co-operate and exchanmge information over the internet;
the other, an academic hospital, is a participant in the newly
developing national electronic patient database which will be
accessible for health care workers, also using the internet. The
experts could retrieve all information regarding these 1.2 million
people: insurance number, address, date of birth, length, weight,
illnesses, history of treatment, past and current medication, etc.
The experts were able to alter or delete this information (but of
course refrained from soing so).
The test was part of a new project of Dutch ISP XS4ALL, called 'The
Next Ten Years', a series of books dealing with the social aspects
of developing internet technologies. The first book, 'Medical
secrets', deals with the pros and cons of electronic patient records
(EPRs) and was written by TNTY-editor in chief Karin Spaink. She
also organised the hospital security tests.
A national system for EPRs will be implemented in the next years,
starting Januari 2006. There has not yet been any public debate
about EPRs, nor has there been a proper assessment of the risks of
making medical information available over the internet.
The Dutch minister of Health Hans Hoogervorst was questioned on the
matter a few days after the hack, and wrote it off to 'poor internal
procedures and administration', not to his lack of investment in a
solid infrastructure. Considering that all medical information is
stored unencrypted, that hospitals use uncompartimentalised database
systems (which allows all databases - and thus, all intruders - to
freely exchange information), and often only rely on firewalls
against outside invasion, developing a more robust system will only
be possible if serious financial commitments will be made. The Dutch
national institute that is supposed to guide the implementation of a
national EPR database, Nictiz, denied all responsibility too,
stating that 'the integrity and safety of medical data is not our
responsibility, but that of the health care institutions from which
they originate'. Nictiz failed to explain how a reliable structure
can be built upon unsafe building blocks.
- K -
--
We all know that good intentions are a perfect substitute for
competence.
- de Bris on alt.suicide.holiday, Feb. 25 2003
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Sat Sep 10 2005 - 11:54:22 PDT