Tuesday, February 5, 2013
Is it safe?
When I read William Goldman's book "The Marathon Man" years ago, I recall the evil Nazi dentist with drill in hand (played by Sir Laurence Olivier in the subsequent movie) hovering over the un-anesthetized Dustin Hoffman strapped to a chair asking the question: "Is it safe?" Of course, Hoffman didn't know. So when Olivier turned on the drill and Hoffman started screaming, everyone in the theater identified with his pain. I still get chills when thinking about it.
In previous blog post here, I've described the pain I experienced when we transitioned from paper charts to electronic medical records (EMR)--certainly not as intense as having dental work without anesthesia, but agony just the same. Well guess what! Now we're transitioning to a new EMR. In many ways, our pain level has increased from 6 out of 10 to 9 out of 10.
I interviewed Casey Quinlan, of Might Casey Media, a very astute commentator on healthcare in general and cancer care specifically, on This Week in Oncology last Wednesday. The "Mighty Casey" made several cogent observations on EMRs, but, we really didn't address the question of security. In the December 15-16, 2012 issue of the Wall Street Journal, Ellen E. Schultz wrote an article entitled: "How Safe Are Your Medical Records?" Two pieces of legislation are cited:
The first is the Health Insurance Portability and Accountability Act (HIPAA) which "allows health-care providers to disclose medical records without a patient's consent when the information used is for treatment, payment and "health-care operations." Providers are supposed to exchange only relevant information, but they commonly transfer a patient's entire file, which is easier than separating the pertinent records." In the same manner, protection can be lost for psychotherapy records if they are co-mingled with other medical records.
Second is the American Recovery and Reinvestment Act of 2009 which "prohibits the unauthorized sale of medical records, requires that data be encrypted and mandates that individuals be notified of security breaches. It is too soon to say how effective these rules will be."
Drilling down to the core problem is Mat Honan's original article "How Apple and Amazon Security Flaws Led to My Epic Hacking" and follow-up video entitled "Mat Honan Hacked and Digitally Destroyed" he describes an "epic hack" that destroyed his entire digital life in one hour. Having been the victim of a phishing expedition, a minor nuisance compared to his experience, I know how it feels to have your identity stolen. After researching how and why hacking has become more problematical, Honan concludes: "The age of the password has come to an end; we just haven't realized it yet. And no one has figured out what will take its place." He continues: "The ultimate problem with the password is that it's a single point of failure, open to many avenues of attack. Two factors should be a bare minimum." This creates the dilemma that if the password is too simple and obvious, it's a no-brainer to crack; if it's too complex and obscure, the password is hard to remember. And, we are advised never to write passwords down. Why am I not surprised that the most common password used is, in fact, "password," and second is "123456"?
Honan provides a helpful Dos and Don'ts list to survive the "password apocalypse":
REUSE PASSWORDS. If you do, a hacker who gets just one of your accounts will own them all.
USE A DICTIONARY WORD AS YOUR PASSWORD. If you must, then string several together into a pass phrase.
USE STANDARD NUMBER SUBSTITUTIONS. Think P455wOrd is a good password? NOp3! Cracking tools now have those built in.
USE A SHORT PASSWORD-no matter how weird. Today's processing speeds mean that even passwords like "h6!r$q" are quickly crackable. Your best defense is the longest possible password.
ENABLE TWO-FACTOR AUTHENTICATION WHEN OFFERED. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it's better than nothing.
GIVE BOGUS ANSWERS TO SECURITY QUESTIONS. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a "Camper Van Beethoven Freaking Rules."
SCRUB YOUR ONLINE PRESENCE: One of the easiest ways to hack into an account is through your e-mail and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
USE A UNIQUE, SECURE EMAIL ADDRESS FOR PASSWORD RECOVERIES. If a hacker knows where your password reset goes, that's a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn't tied to your name-like email@example.com so it can't be easily guessed."
So, the answer to the question: "Is it safe?" is an emphatic NO. Honan concludes that online identity verification will not be a password-based system in the future, any more than our system of personal identification will be based on photo IDs. But, passwords may still be involved as just one part of a multifaceted process.
This post by Richard Just, MD, ACP Member, originally appeared at JustOncology.com, a joint publication of Richard Just, MD, aka @chemosabe1 on Twitter and Gregg Masters, MPH, aka @2healthguru on Twitter. Dr. Just has 36 years in clinical practice of hematology and medical oncology.
Contact ACP Internist
Send comments to ACP Internist staff at firstname.lastname@example.org.
- Progress notes are a poor match between billing an...
- QD: News Every Day--Empathetic doctors get rewarde...
- New norovirus strain strikes the U.S.
- QD: News Every Day--Gift restrictions among med st...
- Niacin: ineffective, and now with fewer side effec...
- QD: News Every Day--Alcohol screening, counseling ...
- Questions and answers
- Why doctors should write
- QD: News Every Day--Yoga may diminish afib symptom...
- Transitioning from fee-for-service medicine to wha...
Members of the American College of Physicians contribute posts from their own sites to ACP Internistand ACP Hospitalist. Contributors include:
Albert Fuchs, MD, FACP, graduated from the University of California, Los Angeles School of Medicine, where he also did his internal medicine training. Certified by the American Board of Internal Medicine, Dr. Fuchs spent three years as a full-time faculty member at UCLA School of Medicine before opening his private practice in Beverly Hills in 2000.
And Thus, It Begins
Amanda Xi, ACP Medical Student Member, is a first-year medical student at the OUWB School of Medicine, charter class of 2015, in Rochester, Mich., from which she which chronicles her journey through medical training from day 1 of medical school.
Zackary Berger, MD, ACP Member, is a primary care doctor and general internist in the Division of General Internal Medicine at Johns Hopkins. His research interests include doctor-patient communication, bioethics, and systematic reviews.
Controversies in Hospital
Run by three ACP Fellows, this blog ponders vexing issues in infection prevention and control, inside and outside the hospital. Daniel J Diekema, MD, FACP, practices infectious diseases, clinical microbiology, and hospital epidemiology in Iowa City, Iowa, splitting time between seeing patients with infectious diseases, diagnosing infections in the microbiology laboratory, and trying to prevent infections in the hospital. Michael B. Edmond, MD, FACP, is a hospital epidemiologist in Richmond, Va., with a focus on understanding why infections occur in the hospital and ways to prevent these infections, and sees patients in the inpatient and outpatient settings. Eli N. Perencevich, MD, ACP Member, is an infectious disease physician and epidemiologist in Iowa City, Iowa, who studies methods to halt the spread of resistant bacteria in our hospitals (including novel ways to get everyone to wash their hands).
db's Medical Rants
Robert M. Centor, MD, FACP, contributes short essays contemplating medicine and the health care system.
Juliet K. Mavromatis, MD, FACP, provides a conversation about health topics for patients and health professionals.
Dr. Mintz' Blog
Matthew Mintz, MD, FACP, has practiced internal medicine for more than a decade and is an Associate Professor of Medicine at an academic medical center on the East Coast. His time is split between teaching medical students and residents, and caring for patients.
Toni Brayer, MD, FACP, blogs about the rapid changes in science, medicine, health and healing in the 21st century.
Vineet Arora, MD, FACP, is Associate Program Director for the Internal Medicine Residency and Assistant Dean of Scholarship & Discovery at the Pritzker School of Medicine for the University of Chicago. Her education and research focus is on resident duty hours, patient handoffs, medical professionalism, and quality of hospital care. She is also an academic hospitalist.
John H. Schumann, MD, FACP, provides transparency on the workings of medical practice and the complexities of hospital care, illuminates the emotional and cognitive aspects of caregiving and decision-making from the perspective of an active primary care physician, and offers behind-the-scenes portraits of hospital sanctums and the people who inhabit them.
Ryan Madanick, MD, ACP Member, is a gastroenterologist at the University of North Carolina School of Medicine, and the Program Director for the GI & Hepatology Fellowship Program. He specializes in diseases of the esophagus, with a strong interest in the diagnosis and treatment of patients who have difficult-to-manage esophageal problems such as refractory GERD, heartburn, and chest pain.
Mike Aref, MD, PhD, FACP, is an academic hospitalist with an interest in basic and clinical science and education, with interests in noninvasive monitoring and diagnostic testing using novel bedside imaging modalities, diagnostic reasoning, medical informatics, new medical education modalities, pre-code/code management, palliative care, patient-physician communication, quality improvement, and quantitative biomedical imaging.
William Hersh, MD, FACP, Professor and Chair, Department of Medical Informatics & Clinical Epidemiology, Oregon Health & Science University, posts his thoughts on various topics related to biomedical and health informatics.
David Katz, MD
David L. Katz, MD, MPH, FACP, is an internationally renowned authority on nutrition, weight management, and the prevention of chronic disease, and an internationally recognized leader in integrative medicine and patient-centered care.
Richard Just, MD, ACP Member, has 36 years in clinical practice of hematology and medical oncology. His blog is a joint publication with Gregg Masters, MPH.
Kevin Pho, MD, ACP Member, offers one of the Web's definitive sites for influential health commentary.
Michael Kirsch, MD, FACP, addresses the joys and challenges of medical practice, including controversies in the doctor-patient relationship, medical ethics and measuring medical quality. When he's not writing, he's performing colonoscopies.
Elaine Schattner, MD, FACP, shares her ideas on education, ethics in medicine, health care news and culture. Her views on medicine are informed by her past experiences in caring for patients, as a researcher in cancer immunology, and as a patient who's had breast cancer.
Mired in MedEd
Alexander M. Djuricich, MD, FACP, is the Associate Dean for Continuing Medical Education (CME), and a Program Director in Medicine-Pediatrics at the Indiana University School of Medicine in Indianapolis, where he blogs about medical education.
Rob Lamberts, MD, ACP Member, a med-peds and general practice internist, returns with "volume 2" of his personal musings about medicine, life, armadillos and Sasquatch at More Musings (of a Distractible Kind).
David M. Sack, MD, FACP, practices general gastroenterology at a small community hospital in Connecticut. His blog is a series of musings on medicine, medical care, the health care system and medical ethics, in no particular order.
Reflections of a Grady
Kimberly Manning, MD, FACP, reflects on the personal side of being a doctor in a community hospital in Atlanta.
The Blog of Paul Sufka
Paul Sufka, MD, ACP Member, is a board certified rheumatologist in St. Paul, Minn. He was a chief resident in internal medicine with the University of Minnesota and then completed his fellowship training in rheumatology in June 2011 at the University of Minnesota Department of Rheumatology. His interests include the use of technology in medicine.
Technology in (Medical)
Neil Mehta, MBBS, MS, FACP, is interested in use of technology in education, social media and networking, practice management and evidence-based medicine tools, personal information and knowledge management.
Peter A. Lipson,
Peter A. Lipson, MD, ACP Member, is a practicing internist and teaching physician in Southeast Michigan. The blog, which has been around in various forms since 2007, offers musings on the intersection of science, medicine, and culture.
Why is American Health Care So Expensive?
Janice Boughton, MD, FACP, practiced internal medicine for 20 years before adopting a career in hospital and primary care medicine as a locum tenens physician. She lives in Idaho when not traveling.
World's Best Site
Daniel Ginsberg, MD, FACP, is an internal medicine physician who has avidly applied computers to medicine since 1986, when he first wrote medically oriented computer programs. He is in practice in Tacoma, Washington.
Other blogs of note:
American Journal of
Also known as the Green Journal, the American Journal of Medicine publishes original clinical articles of interest to physicians in internal medicine and its subspecialities, both in academia and community-based practice.
A collaborative medical blog started by Neil Shapiro, MD, ACP Member, associate program director at New York University Medical Center's internal medicine residency program. Faculty, residents and students contribute case studies, mystery quizzes, news, commentary and more.
Michael Benjamin, MD, ACP member, doesn't accept industry money so he can create an independent, clinician-reviewed space on the Internet for physicians to report and comment on the medical news of the day.
The Public Library of Science's open access materials include a blog.
One of the most popular anonymous blogs written by an emergency room physician.