Wednesday, September 29, 2010

Social Networks For Patients Stir Privacy, Security Worries

Facebook-like profiles and posts by patients put medical information at risk of theft, abuse

By Kelly Jackson Higgins,  DarkReading Sept. 28, 2010 

Social networking is infiltrating healthcare with platforms for patients to share intimate details of their diagnoses, medications, physical conditions, locations, and other personal data -- and not necessarily anonymously.

Members of emerging sites, such as PatientsLikeMeDailyStrength, and HealthyPlace, for example, can post profiles similar to those on Facebook, and many users are posting their photos, hometowns, and personal health information that could ultimately be abused. And like mainstream social networks Facebook and LinkedIn, these online patient communities are attractive targets for identity thieves, spammers, and other bad guys trolling for valuable information, security experts say. They also could be used for targeted attacks, employers, or other people to gather private information about the patient that could be used against him or her.

Ironically, the emergence of these sites comes amid growing concerns over patient privacy and security of their data in the move to electronic medical records. Indeed, medical identity theft is on the rise: A recent Ponemon Institute study found 1.5 million Americans have been a victim of medical identity theft, to the tune of $28.6 billion, or about $20,000 per victim. According to the Smart Card Alliance report on medical ID theft (PDF) published this spring, patients hit by this crime typically don't learn about it until they receive a suspicious bill or a doctor notices something awry in their records; in the worst case, it can lead to medical errors and fatalities.

The new generation of patient social networks exposes users to these crimes, as well as other privacy breaches, experts say. Some patients are more willing to share personal information and details than others on these sites, which can serve as welcome or comforting outlets to patients or caregivers looking for support or more information. "There are people who are open and don't care. But there are some who want to participate and are thinking their identities are anonymous," says Nitesh Dhanjani, a senior manager at Ernst & Young and security expert.

Dhanjani says it's possible to uncloak the identities of even anonymous users on patient social networking sites, such as PatientsLikeMe. An anonymous member's information could be compared and correlated with his or her Facebook profile, for example, Dhanjani says.
"Some folks have diseases that unfortunately have a stigma attached to them [and they] sign up with fictitious names," he says. "It's still possible to ascertain these people's real identities by fingerprinting their grammar habits and, most importantly, the nicknames they use for their IDs. In other words, there are people out there declaring details of their medical records thinking they are anonymous, but they are not."

He says it's not difficult to correlate a user's Facebook profile or other online information with that of PatientsLikeMe, for instance, to gather the patient's identity information for phishing or other nefarious purposes. "We know from social networking that with one handle and any one piece of data you have in Facebook, you can easily connect the dots and link everything up" to learn more about a person, he says.

PatientsLikeMe has around 80,000 members, 10,000 of whom have public profiles that can be viewed by nonmembers of the site. Members can choose to be "visible," where registered members can see their profile and username and can contact them via the site. Or they can be "public" members, where nonmembers can view their profile data and registered users can contact them via the site. Executives from the social network were not available for an interview for this article.

Some healthcare organizations are starting to take note of the risks of these healthcare-centered social networking sites. Paul Brian Contino, vice president for information technology at Mount Sinai Medical Center and chair of the Smart Card Alliance's Healthcare Council, says social networking is definitely infiltrating the healthcare industry and bringing with it the related risks. "The patient population is very vulnerable" to fraud and cybercrime, Contino says. "If they have the time and tools, which are becoming more readily available for forensic auditing of this information, you can link together a lot of information [about someone], even if they are anonymous."

Patients on these sites who post their cities of residence can be traced, along with their IP addresses and where they had been hospitalized. An attacker could put the pieces together and determine someone's identity, Contino says. "What concerns me a lot is the average consumer on the Internet doesn't realize how sophisticated these [tools and social engineering attacks can be]," he says.

That could impact the patient's family's financial situation, for instance. "It's easy to link someone's ZIP code and location with their disease process and a couple of other pieces of information and cross-reference and figure out who that patient is," says Dr. Barry Chaiken, chief medical officer at Imprivata. That information could be used against the patient's family in a business deal, for example, due to the financial implications of the illness, he says.

Social engineers, too, could pose as patients and begin to extract enough information to steal the victim's identity and use it for prescription fraud or financial fraud, he says. "That's the risk I see in these social networks," says Mount Sinai Medical Center's Contino. "In a hospital institution, we have security officers and we train IT people to let employees know the risks. On the Internet, patients are [sharing this information] themselves."

Typically, healthy people are more likely to have privacy concerns, he says. "There's a strong dichotomy here," he says. Healthy people are more likely to be up in arms over privacy, whereas sick people are more willing to share because they are so eager for help or information, he says. "They don't recognize the risks at the time," he says.

Many of these social networks sell their data to pharmaceutical companies, for instance, and they can also provide a new conduit for marketing in the wake of the HITECH Act, which limits what patient health data can be used for direct marketing to patients, notes Contino.

Even so, social networks can't guarantee their members are who they say they are. There's no true authentication. Michael Magrath, director of business development for government and
healthcare at security firm Gemalto, says that could allow a fraudster to pose as a healthcare professional on the site, which could lead to devastating results for a patient looking for medical advice, he says.

Meanwhile, the millions of dollars healthcare companies are spending to protect patient records could be in vain if some of these patients are willingly posting it online, Ernst & Young's Dhanjani says. "I understand the frustration healthcare organizations may feel. They are spending hundreds of millions of dollars trying to get their security controls in order with the ultimate goal of protecting medical records, while the patients themselves are publicly and voluntarily revealing the very same data. This is going to become a bigger conflict in the near future as more and more patients decide to leverage social networking applications like PatientsLikeMe," he says.

Healthcare organizations are too busy fixing traditional security controls to focus on this potential privacy conflict, he says. "They seem to have a myopic view of how social networking relates to their security posture, one that is solely based on monitoring their own employees.

Healthcare organizations need to re-evaluate their investments in security efforts to make room for projects to make sure they are aligned with the business implications of their patients participating [in social networks]," he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Stefaan G. Verhulst
Chief of Research
Markle Foundation
10 Rockefeller Plaza, Floor 16
New York, NY 10020-1903
Tel. 212 713 7630
Treo 646 573 1361

Monday, September 27, 2010

FTC Hints at Findings in Upcoming Privacy Report

An official at the Federal Trade Commission on Friday said that the current methods of notifying consumers when their data is being collected are inadequate.

The coments by Maneesha Mithal, the FTC’s associate director of the Division of Privacy and Identity Protection, are an indication of likely conclusions of the agency’s wide-ranging review of privacy regulations. The agency’s revised privacy guidelines are expected to be released later this year.

Ms. Mithal said the FTC’s report would recommend that consumers must be notified at the time that their data is collected – such as when tracking technology is installed on a computers machine by a website or an online advertiser. The current practice of notifying consumers of tracking in privacy policies has not worked, she said.

“Our whole report is about consumer control,” said Ms. Mithal, said at a Washington D.C. conference held by the Online Trust Alliance, an industry group dedicated to tackling privacy and security issues online. Her comments were reported by one of the forum attendees, Christopher Wolf, a director of the privacy and information management group at law firm Hogan Lovells, and confirmed by another attendee. The FTC did not immediately respond to a request for comment.

The Wall Street Journal’s What They Know series has documented the new, cutting-edge uses of the tracking technology used to create profiles of consumers’ habits. The FTC is expected to release a report this year detailing it findings about the burgeoning data industry and its recommendations on how to protecte consumer privacy. Congress is also considering legislation that could place new limits on the data collection industry.

The online advertising industry has argued that the data it collects about users is innocuous becase it does not identify users by name.

However, in her remarks, Ms. Mithal also said that the distinction between personally identifiable data and other types of consumer data is blurring. She also said that the report would also recommend that privacy be part of the design of new technology that involves a user’s information .

Still, it’s not clear whether the FTC’s report will create new restrictions on the data collection industry. One FTC watcher, Berkeley Law School professor Chris Jay Hoofnagle, says he expects FTC report to suggest that Congress needs to act to protect consumers. “I don’t think the FTC is going to announce rules. I think they will call upon Congress to direct them to make rules,” he said.

Follow Jennifer Valentino-DeVries on Twitter @jenvalentino, and for more on digital privacy, follow @whattheyknow.