July 9, 2007
Caught Between Security & Usability
By Elizabeth S. Roop
For The Record
Vol. 19 No. 14 P. 24
A study shows that USB-based personal health records pose serious threats to provider networks. But does it matter?
They offer a convenient, affordable way for consumers to maintain and transport their personal
health records (PHRs), but security flaws identified in a recent study from Oregon Health & Science University may cause some providers to think twice before plugging a USB (universal serial bus)-based PHR into their computer to retrieve patient data.
USB devices are popular—more than 110 million will ship worldwide this year, according to research firm Gartner, Inc.—because they are inexpensive, portable, and can hold massive amounts of data and complex applications. These characteristics are precisely why so-called thumb or flash drives are ideal for PHRs and are the basis for a number of commercially available, self-contained products.
However, the findings of an analysis by Oregon Health’s Adam Wright, BS, and Dean F. Sittig, PhD, found that providers may be opening themselves to trouble whenever they accept a patient’s USB-based PHR.
In their examination of three of the five major USB-based PHR products, the pair found they could modify the programs on the device so that, when connected to a computer, they could search for and copy data from the system to a hidden location on the device—all while giving the appearance of perfectly normal operation.
“The security threat posed by existing patient-controlled USB devices is serious,” write Wright and Sittig in “Security Threat Posed by USB-based Personal Health Records,” published as a clinical observation in the February issue of the Annals of Internal Medicine. “Depending on how a USB-based personal health record is modified, the programs on the device could tamper with data (for example, to enter unauthorized prescriptions); spread computer viruses; corrupt the hospital or practice network to which the computer is attached; leave harmful software behind that could, for example, capture user names and passwords and send them to the person on an ongoing basis; and copy financial or health data—all while the physician is viewing the patient’s health record on the device.”
The Nature of the Beast
According to Wright, the security flaw stems from the fact that USB-based PHRs are designed to be easily and repeatedly modified by the consumer.
“To a certain extent, it has to be that way because you are storing a patient’s information on this thumb drive, so if it were totally read-only, there would be no way to get the information onto it,” he says.
The problem is that the read-write nature of the USB drive means that not only can data be added, but the application contained on each drive that allows patients and physicians to view the health data can also be modified.
That was even the case on one device where the application itself was stored in a read-only partition on the USB drive. When the program was initiated, it immediately called up another piece of software on the read-write section of the drive, which was what Wright and Sittig were able to modify.
“It’s difficult to imagine a way you could allow the software on these USB devices to both run and be secure. That’s one of the issues with the paradigm of the current operating system,” Wright says. “Any program that is running on your computer is running with all the privileges and authorities that [the user has]. If you have the ability to see, delete, or write files, any piece of software that you run can also do that.”
Striking a Balance
Although there have been no reports of security breaches caused by reprogrammed USB-based PHRs, the risk is still very real, according to Ted Doolittle, a principal with Integro Insurance Brokers who specializes in risk management for the technology industry.
“As it relates to healthcare, I think that it is a little overblown right now because how many people do you know who are carrying around their personal health records on a thumb drive? [But] that will change,” he says. “It’s not that it is not a timely topic, but we probably have a little more time to catch up with how to deal with it than people might think. … It’s far better to do it [correct the problem] now when you have a relatively small group of users.”
The challenge will be finding the right balance between security, portability, and user-friendly efficiency. Most vendors of USB-based PHRs already protect the data contained on the drive with encryption and passwords, but those measures do little to protect the company whose system the device is plugged into.
Antivirus and antimalware software can only do so much, says Doolittle. They can catch some viruses before they are launched, but they are not foolproof, and companies must keep their definitions and patches up-to-date, which can be labor intensive. There are also always new viruses and attacks being devised that don’t have patches yet.
Once a device has been introduced to a system and an altered program has launched, “it’s off to the races,” he says. “It’s like when someone sends you a virus through your e-mail. Once you’ve clicked it, it’s too late. If it opens enough to tell you that there is a problem, it is already in.”
Finding a way for thumb drives to act as their own operating system or scanning them before any programs they contain are allowed to run are options. “The question is [whether you can] do it efficiently and make sure it’s not cost-prohibitive,” Doolittle says. “In the security industry, there is a constant pull between efficiency vs. security. Perfect security would mean that we never trade data. You’d never have two systems touch each other. On the other hand, that is horribly inefficient.”
It’s a balancing act with which USB-based PHR vendors are familiar. Two of CapMed’s devices were part of the analysis done by Wright and Sittig, the E-HealthKEY from MedicAlert and the Personal HealthKey. Both offer 256-bit encryption to protect the data stored on the devices, and the company is looking at ways to lock down the applications themselves, including licensing security software from the device maker.
“There is always that balance between how complex we can make a program to be used for healthcare purposes and the additional cost associated with installing a different application that you need to license from a third party vs. usability. That is where the fine line is,” says Wendy Angst, general manager at CapMed.
The assumption is that most systems and software programs have some type of virus scanning process that should catch any malware before it is introduced into the system.
“There is no failproof way by any of those methods to ensure that nothing gets transferred through,” Angst says. “If [someone] wants to modify the software application itself, there are only so many ways of locking it down. It would really have to be a sophisticated, determined user who wants to go in there and actually do that. But you never know.”
Carl Franzblau, PhD, president of Med-InfoChip, which offers the third device analyzed by Wright and Sittig, pointed out that even with the potential for malicious codes to be programmed onto a USB-based PHR, it is still far more secure than carrying paper files from one provider to the next. Plus, the benefits of providing access to necessary health information when and where it is needed far outweigh the risks.
“One third of all deaths in the United States are due to mistakes. Those are fantastic numbers, and they are due to mistakes because no one has any data,” he says. “If you say you can reduce that because, for example, I happen to know all the drugs I’m taking, both prescription and nonprescription, and I can give those to my doctor because I have [that information] on my chip … that would be a wonderful thing. That is what it is all about. I’m all for security as best as one can, but don’t make security so good that the personal information is not available in times of need.”
Protect Thyself
Wright and Sittig conclude in their study that because there are no reliable mechanisms to verify the integrity of USB-based PHR programs, the only way for providers to avoid attack is to not accept such devices from their patients.
They did point out, however, that Web-based PHRs are a safer alternative because they are viewed through a Web browser and require no special software to run. Other PHR options include CD-based programs that store data on the consumer’s computer, letting them generate reports for their physicians or share information through a secure data exchange.
Variety means patients and providers can select the PHR format they are most comfortable with, mitigating security risks while still conveying the benefits that come from having a patient’s health information available when needed.
“Part of what we employ as a company is that the USB is one model,” says Angst. “It’s not, ‘You either take this or the information can’t be exchanged.’ We recognize there needs to be multiple ways of communicating information that meet the needs of both the patient and the provider.”
But while vendors control the level of security on each device, and consumers control access to information on USB-based PHRs, Doolittle says it is the provider who may ultimately bear the brunt of responsibility for ensuring security of their systems when it comes to plugging in the device.
“The provider is going to get stuck with the responsibility, whether or not it belongs there. They are the ones who are going to see the data. When you plug in a device that has been modified, it is first going to show up at [the provider’s location],” he says. “Even the people who do this for a living get—fooled is not the right word—but there are people out there who do nothing but think up ways to cause problems. There is no way to head all this off at the pass.”
That is why he recommends anyone—including vendors and providers—who uses, stores, or transmits personally identifiable patient information protect themselves with not just technology, but also cyber liability insurance to protect them from the financial damage that could be caused by a breach.
At the end of the day, Franzblau says, it is important not to let fears over the potential for security breaches negate the good that PHRs can do.
Security “is a very big concern, but I don’t think it’s the No. 1 priority. The No. 1 priority is to make sure every American carries their personal health record with them,” he says. “We will all work and strive to maximize security, but don’t lose sight of the important thing—the ease with which one can report one’s own record.”
— Elizabeth S. Roop is a Tampa, Fla.-based freelance writer specializing in healthcare and HIT.