Mark Warner certainly isn’t the brightest (in re online medical records).

From Virginia Lawyers Weekly:

A hacker’s theft of millions of Virginia’s most sensitive prescription drug records isn’t slowing Sen. Mark Warner’s push for electronic medical records.

The former governor convened a conference in Richmond last week about the medical and cost-saving benefits of digitizing hundreds of millions of patient records nationally.

“We’ve been talking about this subject, policymakers have, for decades: how can we make sure that we can bring the power of information technology to our health care system,” Warner told reporters at Virginia Commonwealth University.

Warner, who made a fortune as an early investor in cell phones and information technology, was among the earliest apostles of e-medical records. The federal economic stimulus package that Warner supported provides nearly $20 billion to begin the process of digitizing medical records and sharing them over secure networks.

Here’s the money quote at the bottom of the story (read the whole thing still):

VITA [Virginia Information Technologies Agency] was Warner’s idea for consolidating the state’s disparate and far-flung computer networks and technology procurement systems under one agency. It went online during his term as governor from 2002 to 2006.

“You’re never going to have an infallible system. But … you’ve got to make sure that you learn if there are breaches like this and improve and protect the system,” he said.

Does anyone else feel so safe in the knowledge that the government (or even a business) is going to be responsible for retaining your complete medical record?

The story portrays Mark Warner has being so tech savvy but he shows by his own comments he doesn’t know jack about computer security. And notice that he mentions that you improve security on the system only after the data has been compromised.

And given how a bureaucracy responds to computer security problems, I feel even more secure: Consider how the Oklahoma Department of Corrections implemented their state-wide sex offender registry. They set up the system and how it communicated with the database in such a way that it was possible to change a few words in the URL of the web page and viola, you have the social security number of every person listed on the registry (The Register (UK), Daily WTF).

And when the author of the article at the Daily WTF alerted the Oklahoma DOC to the problem they responded by changing the SELECT term from “social_security_number” to “Social_Security_Number”. Just change the URL to the capitalized term and viola, the information was still available to anyone. The problem was only fixed when the author revealed to the Oklahoma DOC that not only was information available about people that were on the sex-offender registry, but information regarding DOC employees, including medical information, was also available.

The author also theorize that given the way the system was set-up, he could have added records to the tables, enabling him to add people as DOC employees or as sex-offenders.

If that’s the way the government is going to handle my medical records, no thanks.

And, of course, it isn’t just the government that has failed to address security concerns. According to the The Register, a prescription processing firm, Express Scripts, offered a $1,000,000 bounty for the return of personal information, including prescription information in some cases, that a group managed to download.

This also goes back to the nature of computer security. It’s a reactive process. Security flaws and exploits are not fixed until there’s a problem that has been documented. Hell, just look at every security vulnerability in any Microsoft product.

And normal citizens don’t give a damn about their security in most cases, and where do those people work? Some are bound to work in sensitive places. You still have people that either don’t bother with wireless network security on their routers, or if the do, they’re still using WEP which the FBI demonstrated could be cracked in three minutes back in 2005. And even the more secure WPA has been demonstrated to have security vulnerabilities.

And by no means am I saying that paper records in a doctor’s office are secure. But at least then it has to be an employee or a burglar that compromises the information. And it wouldn’t affect millions and millions of people if it does happen. It also would take a lot more time and effort to copy and distribute paper medical records than it would take for electric files. Even if you find the people that compromise an electronic medical record, that information could have been forwarded to a million people already.

And then you have situations where neither the government nor business disclose the fact that their information has been compromised. Was it Bank of America that failed to tell their customers that their personal information had been breached until six months after the incident occurred? And look at how the state of Virginia has been mum about what exactly was compromised with the hacking of their prescription drug database.

All around, this is a Charlie-Foxtrot waiting to happen.

5 Comments

  1. LarryG says:

    Do you know why when you go to a referral doctor they give you a clipboard with 3 pages of questions about yourself?

    It’s because they do not have access to your full set of medical records…

    they may not even know what drugs you are taking unless you can remember to tell them.

    Do you know have many duplicate (and expensive) tests are given.. or more important.. ones that should be done but are not.. because the doctor did not see your complete medical history and, in fact, was looking a 3 pages of what you were able to remember in 5 minutes?

    There are indeed risks in electronic records (of any kind) but can you imagine … even police work.. in a non-electronic world?

    This is the reason why the Republicans are losing by the way.

    they are not interested in dealing with the issues that affect the common man…

    Warner is… flaws and all.. and that’s why he and the Dems are winning…

    they are looking for solutions.. flawed and all rather than fighting change.

  2. Police work is a whole lot different that medical records. In Virginia, there are approximately 250 different police organizations and most of them aren’t interconnected.

    Meanwhile, there will be 10,000+ doctor’s offices in Virginia alone probably that will be connected to a massive database under this plan. What happens when the noisy next door neighbor that works at a doctor’s office and wants to know more about you decides to do a search for your complete medical record? What happens when a burglar breaks into a doctor’s office and uses their login to access the system and downloads a couple million medical records?

    Everyone complained about the Real ID act and what biometric information would be stored on those IDs. If this goes forward, the government would have access to anyone’s medical information. It’s bad enough they send you a 20 page census form to fill out every ten years but now they would access to the medical information. How long until that information is regularly analyze by someone to look for terrorists or whatever else ‘national security threat’ is the theme of the day?

  3. That is a scary thought, what happens when a hacker then can find out the DOC, or VSP officers medical conditions or address or SSN. Then great he can fake a Law Enforcement ID.

  4. LarryG says:

    hackers can get into ANY system that is not adequately protected INCLUDING police systems.

    this is little more than fear mongering…to stop something that is vital to everyone’s health care.

    Your records are already in electronic form if you have a driver license, or own property or have a bank account.

    this sentiment is luddite in the extreme…

    you guys of all people with your police interests should know…

    right now.. in many police cars and at traffic signals are devices that can instantly “capture” a license plate.. send it to a database and alert the policeman if the driver is a bad guy.

    Now.. yes.. there are some inherent risks with regard to government and electronic data records but only in health care is this scare mongering seeking to delay it’s implementation.

    ya’ll are basically afraid to deal with the world as it really is – right now.

    you can’t make it go back.. you can only fix the things that need fixing as we go forward.

    your health care is crumby because your doctor does not have access to an electronic version of our medical history – that’s the plain fact.

    and your reason for opposing it? ” because hackers can get the data and mis-use it?”

    lame…guys lame…

    Let’s take the laptops out of the police cruisers because of the fear that hackers will hack into them – okay?

  5. Larry, The government should not have any involvement in health care, that is a decision between my doctor and me. Not what my government has to say about it. Only me and my doctor should know my medical history, not some paper pushing bureaucrat in Richmond or D.C. Nor, should they control what medical care I receive as they want to do, why should the government have my medical records?

Leave a Reply


Warning: Unknown: open(/home/content/36/5675336/tmp/sess_r1nk217qd8ggs94280npfnkpn6, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0