By Richard Just, MD
When I read William Goldman’s book “The Marathon Man” years ago, I recall the evil Nazi dentist with drill in hand (played by Sir Laurence Olivier in the subsequent movie) hovering over the un-anesthetized Dustin Hoffman strapped to a chair asking the question: “Is it safe?” Of course, Hoffman didn’t know. So when Olivier turned on the drill and Hoffman started screaming, everyone in the theater identified with his pain. I still get chills when thinking about it.
In previous blog post here, I’ve described the pain I experienced when we transitioned from paper charts to electronic medical records. Certainly not as intense as having dental work without anesthesia, but agony just the same. Well guess what! Now we’re transitioning to a new EMR. In many ways, our pain level has increased from 6/10 to 9/10.
I interviewed Casey Quinlan, of Might Casey Media, a very astute commentator on healthcare in general and cancer care specifically, on This Week in Oncology last Wednesday. The “Mighty Casey” made several cogent observations on EMR’s, but, we really didn’t address the question of security. In the December 15-16, 2012 issue of the Wall Street Journal, Ellen E. Schultz wrote an article entitled: “How Safe Are Your Medical Records?” Two pieces of legislation are cited:
The first is the Health Insurance Portability and Accountability Act (HIPAA) which “allows health-care providers to disclose medical records without a patient’s consent when the information used is for treatment, payment and ‘health-care operations.’ Providers are supposed to exchange only relevant information, but they commonly transfer a patient’s entire file, which is easier than separating the pertinent records.” In the same manner, protection can be lost for psychotherapy records if they are co mingled with other medical records.
Second is the American Recovery and Reinvestment Act of 2009 which “prohibits the unauthorized sale of medical records, requires that data be encrypted and mandates that individuals be notified of security breaches. It is too soon to say how effective these rules will be.”
Drilling down to the core problem is Mat Honan’s original article “How Apple and Amazon Security Flaws Led to My Epic Hacking” and follow-up video entitled “Mat Honan Hacked and Digitally Destroyed” he describes an “epic hack” that destroyed his entire digital life in 1 hour. Having been the victim of a phishing expedition, a minor nuisance compared to his experience, I know how it feels to have your identity stolen. After researching how and why hacking has become more problematical, Honan concludes: “The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place.” He continues: “The ultimate problem with the password is that it’s a single point of failure, open to many avenues of attack. Two factors should be a bare minimum.” This creates the dilemma that if the password is too simple and obvious, it’s a no-brainer to crack; if it’s too complex and obscure, the password is hard to remember. And, we are advised never to write passwords down. Why am I not surprised that the most common password used is, in fact, “password”, and second is “123456”?
Honan provides a helpful Dos and Don’ts list to survive the “password apocalypse”:
- REUSE PASSWORDS. If you do, a hacker who gets just one of your accounts will own them all.
- USE A DICTIONARY WORD AS YOUR PASSWORD. If you must, then string several together into a pass phrase.
- USE STANDARD NUMBER SUBSTITUTIONS. Think P455wOrd is a good password? NOp3! Cracking tools now have those built in.
- USE A SHORT PASSWORD-no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.
- ENABLE TWO-FACTOR AUTHENTICATION WHEN OFFERED. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
- GIVE BOGUS ANSWERS TO SECURITY QUESTIONS. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
- SCRUB YOUR ONLINE PRESENCE: One of the easiest ways to hack into an account is through your e-mail and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
- USE A UNIQUE, SECURE EMAIL ADDRESS FOR PASSWORD RECOVERIES. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name-like firstname.lastname@example.org so it can’t be easily guessed.”
So, the answer to the question: “Is it safe?” is an emphatic NO. Honan concludes that online identity verification will not be a password-based system in the future, any more than our system of personal identification will be based on photo-ID’s. But, passwords may still be involved as just one part of a multifaceted process.