The December 2022 issue of IEEE Spectrum is here!

Close bar

Inadequate IT Security Knowledge Exposing Personal Information

Events at Yale and a medical consultancy highlight issue

3 min read
Inadequate IT Security Knowledge Exposing Personal Information

According to an AP story over the weekend, the medical records of some 300,000 Californians who had applied for California workers' compensation benefits were discovered to have been left exposed unwittingly on a publicly accessible Web site.

Apparently, the information was placed on an internal Web site by Southern California Medical-Legal Consultants, a California company that represents medical providers in the recovery of billing from workers' compensation insurance carriers. The AP story stated that the information, which included people's names and social security numbers as well as details about their medical conditions, was not encrypted and didn't require a password to be accessed; nor were search engines kept from indexing the Web pages where the information resided.

Since the company thought the information could only be accessed by its employees and it wasn't linked to any of the company's public Web site pages, no one thought much about it. That was until, as described in a company press release dated the 12th of June:

"The company was notified of the possible breach by a data security firm that discovered some of the files using a sophisticated, automated search of Google indexes."

However, the person at the above-mentioned data security firm—Aaron Titus of Identity Finder—told the AP that what he did was not very sophisticated at all, and that the information was:

"available to anyone in the world with half a brain and access to Google."

Mr. Titus also likened the breach to a "case of felony stupidity."

Ouch.

The basic issue raised in the AP story is that the IT security knowledge/skills of many organizations involved in the capture, storage, analysis, or communication of electronic medical information has not generally kept up with evolving security threats, and the situation doesn't look like it is going to get any better any time soon. As a May New York Times article noted, the "personal medical records of at least 7.8 million people have been improperly exposed" over the past two years.

The Times article noted that inspector general of the Department of Health and Human Services "had found dozens of vulnerabilities in systems to protect records of patients at seven large hospitals in New York, California, Illinois, Texas, Massachusetts, Georgia, and Missouri. Auditors cited such problems as personal information that was not encrypted and was stored on computers that could be easily used by unauthorized users."

That "improperly exposed" number is expected to rise—possibly significantly—as electronic medical records become more widely used across the US. A recurring question has been whether the 165,000 or so small physician offices in the US that have fewer than 10 employees including the doctor(s) will be able to internally acquire or pay for the IT security skills needed to keep their electronic medical record systems safe, not only now but also against future threats. Given, as the Times article indicates, that hospitals with far more IT resources are having a hard time with IT security, the answer doesn't look promising.

Security questions are also being raised about Australia's proposed AU $466 million national electronic health record system. According to a story over the weekend in The Australian, nearly half of Australians may end up "boycotting the voluntary system when it launches in July next year amid concerns the government may find it impossible to guarantee private medical details remain private."

Supporters of the new national EHR system are confident that it will indeed adequately protect a patient's medical information, but they also agree that the Australian government has to become more active in convincing citizens of that fact. How can this be done?

According to the Australian story, it simply has to remind people, says Melbourne GP Mukesh Haikerwal, who heads the Clinical Leadership team for the National E-Health Transition Authority and is chair of the World Medical Association, that the new system:

"is much safer than having a fax hanging around the GP surgery that's just come from the clap clinic."

Does that happen a lot in GP surgeries in Australia?

Of course, inadvertent data breaches aren't confined to the medical arena either. Just a week ago, Yale University announced that personal information including the names and Social Security numbers of 43,000 people who worked for Yale in 1999 were accessible via Google search for the past 10 months.

As described in a Yale Daily Newsarticle from last week,

"The information was stored on a file transfer protocol (FTP) server used primarily for open source materials... In September 2010, Google modified its search engine to be capable of finding and indexing FTP servers...but ITS [Information Technology Services] was not aware of this change...since discovering that the file was accessible, ITS has confirmed that other search engines, such as Yahoo!, do not index FTP servers."

I don't know whether Mr. Titus would describe Yale's case as one of "felony stupidity" too, but it does point out that personal data can be exposed in many, ever-changing ways of which even experienced IT organizations may not fully be aware.

Photo: iStockphoto

The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less
{"imageShortcodeIds":[]}