Within three minutes of sitting at the clinic’s computer I had located the psych/substance abuse records on the hard drive. The clinic director sweated as I highlighted the database files, launched the web browser, and placed the mouse pointer over the "send" button. I was one click away from dumping the confidential records onto the Internet.

"Lunch at any McDonald's in town?" I asked in my most threatening voice, taunting him with slow circular mouse movements on the computer screen. "Oh God, yes. Anything you want. Just don’t transmit those records," he pleaded.

I smiled in triumph. The Big Mac would be mine. I then suggested that, had I been a true cyber-terrorist, I could have demanded much more. Possibly a few hundred thousand dollars. Maybe a million if the database coughed up an executive case. The clinic staff had no defense against me or any hacker. They were sitting ducks.

These events actually happened at a major teaching hospital within a two hour drive of Washington, DC, where secrets are a booming business. During a break from a training program I was asked by an Employee Assistance Program Director to visit his office and check out the department’s cutting-edge computer system. The EAP program was housed almost a mile away from the medical center and the distance contributed to a sense of privacy for the staff who sought help there.

Five months earlier the medical center Information Services department (IS) had linked the EAP clinic computers with the rest of the hospital. The staff could now enjoy the conveniences of email, browsing the hospital library from their desks, surfing the Internet, trading data, and that heady feeling of power that often infects "newbies" on the network. Fortunately, the EAP director was tenacious in his task of guarding the confidential records. He had done a little research and had even read my medical thriller about computers in healthcare. He was appropriately paranoid, a marvelous coping strategy for his assigned duty. He didn't trust that the IS department fully understood how essential privacy and confidentiality were to his program. He had explained to them that even one publicized breach would sink the credibility of his program, for none of the staff would ever trust it again.

IS responded with gigabytes of assurance. "Security is tight as a drum," he was told. "Passwords and gateways prevent any unauthorized access," they insisted. "Trust us, we know what we're doing" was their ultimate appeal. Still, the director had doubts. So he asked me, an impartial, moderately sophisticated computer jockey and clinician to play hacker for a few minutes. I began by asking the staff how much training they had received regarding hardware, software, and security. Sadly, very little. I asked where the computer backup tapes were kept. Blank stares answered the question. "Then your data is backed up by IS over the network," I informed them. I asked what administrative reports are sent out from the clinic. I was shown a summary sheet with demographic data that was distributed to a number of executive management offices. I pointed out that it served somewhat as a newsletter to alert interested people when the EAP had juicy data on file.

The staff then asked that I sit at the computer and do a little investigative hacking. Now, I'm not a hacker, but, as the scene from the beginning of this story illustrates, I was able to sit at an unfamiliar computer, locate the crucial data files, find a link to the Internet, and set up to launch the data in under three minutes.

Feeling a little cocky, I then located about 20 printers in the medical center almost a mile away and was ready to simultaneously transmit the data. I could have just as easily compressed the data and loaded it onto a floppy disk to slip into my pocket.

But what of the password protections? Yes, they can be a slight annoyance, but fortunately we live in the age of cheap yet powerful computers. I could easily take the database home, load it onto a Pentium PC, and have the machine hurl passwords at the database; hour after hour, day after day, until it cracked. That is, of course, assuming I didn't load a password capture program onto the clinic computer to save time, a task that could have been accomplished in a nanosecond by downloading a simple program from the Internet or from a floppy disk. Then I’d just ask the director to log into the database, while I politely turned my back when he entered his password. Then later I’d either peek at a hidden file or wait until it secretly emailed the information to me the next time this computer logged onto the Net. This is all too simple.

What was most distressing to the staff was how easily they had been bamboozled into a delusional sense of security by the IS department. I explained that IS is always three weeks behind, under funded, and committed to making systems sufficiently easy so that users won't plague them with questions. However, it is not solely the responsibility of IS to protect clinical records, it is also the clinician's duty.

The point of this story is to ask that we health professionals, the keepers of some of the most vital personal secrets of humanity, not ignore our duty to get wise about these issues. We can’t afford to throw our hands in the air and claim technological ignorance as a defense to poor security. I usually advise clinicians that the burden of proof of protection is on the IS department. They don’t get access to this secret stuff until they prove to us it can be kept secret.

I recently attended a presentation by a medical software company that provides an integrated clinical system which manages financial data, risk management, clinical records, and patient tracking. (much like MOM in my novel, Terminal Consent.) I asked the product manager which was the hardest sell to his clinical customers; hardware, software, user training, or security. He candidly noted, "Security is the toughest sell. No one does it very well and it’s burdensome" Management would rather put their money into more software bells and whistles.

A CEO once protested to me that security is very expensive, particularly since there is no completely bulletproof defense or benchmarks. I agreed, but suggested we establish a simple standard. We’d create a clinical record of the boss, documenting a history of cocaine abuse and paraphilic practices. Then he only needed to have IS design a system that made sure no one could see his record. He suddenly became a big advocate of security. It once again became clear that record protection is not about glitzy technology, it's about fostering administrative motivation. Hopefully, we health professionals know a bit about that.

Related Links
 Terminal Consent

 Book Review: 1 April 1999 Terminal Consent.

Home