Skip to main content
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Blogs
    • AI
    • Deals
    • Layoff Tracker
    • HIMSS 2023
  • Opinion
    • Breaking Bias
    • Commentaries
    • Letters
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - AI and Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Sponsored Video Series - One on One
    • Sponsored Video Series - Checking In with Dan Peres
  • Data & Insights
    • Data & Insights Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Providers
October 16, 2008 12:00 AM

Potential exists for snooping in EHRs, experts say

Joseph Conn
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Klein

    Whether the government is looking through electronic health records as part of a high-tech snooping program, Mark Klein couldn’t say for sure.

    But Klein is positive the government is tapping high-speed data lines that carry medical information, because, he said, he helped install the wiretaps himself.

    Klein is probably the most famous former telephone company technician in America. He is now a key witness in Hepting v. AT&T, a class-action lawsuit filed by the Electronic Frontier Foundation, alleging that AT&T, by cooperating in the wiretapping, violated federal and state privacy laws and the constitutional rights of U.S. citizens.

    From October 2003 until his retirement, Klein worked at an AT&T switching facility in San Francisco. There, Klein said in a written statement filed in the lawsuit, his job included installing a “splitter cabinet” on the high-bandwidth fiber-optic cables coming into the AT&T switch room. Klein said the lines he tapped serve as “peering links” from a host of other telecom and Internet service providers in the Bay area. Klein said much of the Bay Area’s telecommunications traffic moves over those tapped fiber-optic lines.

    To view Joseph Conn's entire package on terrorist surveillance and electronic medical records, read "

    EMRs could be fair game in war on terror," "A controversial lawyer, HIPAA and the privacy debate," "The tortuous path of the HIPAA privacy provision," "Potential exists for snooping in EHRs, experts say," "Government sets sights on health IT for surveillance," and listen to a podcast interview with Twila Brase, Possible EMR, national security interest links."

    “It would be everything you could imagine,” Klein said. “E-mail, Web browsing, video, phone conversations, bank transactions; I would assume, unless they took extraordinary measures, medical data goes across there, too. These are the main pipes of the Internet. It’s open to everything from a government, spying on their critics, (to) petty corruption, like an insurance company spying on someone applying for insurance. We don’t know.”

    A splitter diverted exact copies of all traffic flowing through those lines into a locked, secret room erected inside the AT&T building; Klein said he was told by a supervisor that the room was built at the behest of the National Security Agency.

    The analyzer used in the operation, Klein said, was “designed to do high-speed searches. It would look at the content as well as the headers. It can sift through data as it’s passing through the pipe and snatch whatever you want. It can open up a phone conversation that’s sent over VoIP and pull out key words. It’s designed to look at content. That’s what makes it so scary. It was George Orwell’s ‘Big Brother’ machine.”

    Of course there is encryption, and that’s why the intelligence services, if they wanted to gain access to health records, probably wouldn’t use the "Hoover vacuum" approach Klein’s revelations would suggest, several encryption experts contacted for this story said.

    When it comes to tapping fast-moving EHRs at major switching points, the NSA may have met its match with 128-bit encryption, according to cryptographers contacted for this story.

    Bruce Schneier is the founder and chief technology officer of BT Counterpane, a computer network security services provider and author of several books on encryption and cybersecurity. “Whether the NSA could break it if they wanted to is different than if they could break it Hoovering up everything in their path,” Schneier said. With all the traffic at a switch point, “They are drinking from a fire hose. Let’s say it could take 30 minutes” to decrypt a transmission. “That would take too long. If the name is encrypted, then no, because you’d look at 30 billion prescription records.”

    Phil Zimmerman, of Palo Alto, Calif., popularized the use of open-source encryption software he developed, Pretty Good Privacy, which he authored in 1991. About the only way the NSA could clandestinely crack EHRs secured by 128-bit encryption common to healthcare as it flies through switching facilities under the circumstances described by Klein would be if the sender or receiver messed up, Zimmermann said.

    “You could take 128-bit encryption and use it in a stupid way,” Zimmermann said. “You could have a steel door on your house 6 feet thick, but you could have a window next to the door that could be smashed. So, 128 doesn’t matter, if you have this other vulnerability,” which is heightened when medical records stop moving, Zimmermann said. Then, “It depends on who is holding the medical records and it depends on what policies are in place. Just encryption alone isn’t enough if you don’t have the right policies, because someone could just walk in from the government and say, ‘Hand over the keys.’ ”

    And yet, traffic on today’s Internet carries a lot of medical information between people and healthcare information sources that the Health Insurance Portability and Accountability Act of 1996 never contemplated. Often, these communications do not get encrypted.

    Barry Steinhardt, director of the technology and liberty program at the American Civil Liberties Union in Washington, said he has no way of knowing whether individuals’ EHRs have been accessed under the government’s warrantless wiretapping program, but the potential is there.

    “We’ve gone from retail surveillance to wholesale surveillance,” Steinhardt said.

    The ACLU has sued the Justice Department under the Freedom of Information Act to obtain government records related to a “secret surveillance program to intercept, without prior judicial authorization, the telephone and Internet communications of people inside the United States.”

    “To what extent this involves medical records, I couldn’t tell you, or if anybody knows outside of the intelligence community,” Steinhardt said. “But plainly, if the data is communicated through the Internet and (telecommunications company) switches, they are subject to interceptions. It’s crystal-clear the telecoms have given the NSA breathtaking access to the communications stream.”

    On July 10, President Bush signed into law the Foreign Intelligence Surveillance Act of 1978 Amendments of 2008, also known as the FISA Amendments of 2008. The new law prompted a well-published controversy and even a filibuster on the floor of the Senate because it grants amnesty from civil lawsuits, like Hepting, to the telecom companies for assisting the government in intelligence activities that were not only permissible under several specific laws but those activities authorized by the president in connection with an intelligence program after Sept. 11.

    What was not so well-covered by the media is who the amnesty law also protects from civil lawsuits—any “provider of a remote-computing service” (such service is defined by law as “the provision to the public of computer storage or processing services by means of an electronic communications system”) or “any other communication service provider who has access to wire or electronic communications.” Could these two lesser-known amnesty provisions apply to healthcare data-miners and healthcare information exchange organizations?

    That would be “a plausible reading of the statute,” according to Steinhardt.

    What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Nursing home wheelchair
    4,000 Michigan nursing home beds at risk in proposed staffing mandate
    Walgreens main sign clinic
    Walgreens continues its big bet on healthcare, VillageMD clinics
    Most Popular
    1
    CMS tries luring providers to revamped Medicare ACOs
    2
    Oregon joins other states in setting ratios for nurse staffing
    3
    Blue Shield CA taps Amazon, Mark Cuban, CVS for new PBM model
    4
    A health innovation hub grows in Lake Nona Medical City
    5
    Hospital-at-home providers push for Medicaid coverage
    Sponsored Content
    Modern Healthcare A.M. Newsletter: Sign up to receive a comprehensive weekday morning newsletter designed for busy healthcare executives who need the latest and most important healthcare news and analysis.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Help Center
    • Advertise with Us
    • Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Blogs
      • AI
      • Deals
      • Layoff Tracker
      • HIMSS 2023
    • Opinion
      • Breaking Bias
      • Commentaries
      • Letters
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - AI and Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Sponsored Video Series - One on One
      • Sponsored Video Series - Checking In with Dan Peres
    • Data & Insights
      • Data & Insights Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing