Whether the government is looking through electronic health records as part of a high-tech snooping program, Mark Klein couldn’t say for sure.
But Klein is positive the government is tapping high-speed data lines that carry medical information, because, he said, he helped install the wiretaps himself.
Klein is probably the most famous former telephone company technician in America. He is now a key witness in Hepting v. AT&T, a class-action lawsuit filed by the Electronic Frontier Foundation, alleging that AT&T, by cooperating in the wiretapping, violated federal and state privacy laws and the constitutional rights of U.S. citizens.
From October 2003 until his retirement, Klein worked at an AT&T switching facility in San Francisco. There, Klein said in a written statement filed in the lawsuit, his job included installing a “splitter cabinet” on the high-bandwidth fiber-optic cables coming into the AT&T switch room. Klein said the lines he tapped serve as “peering links” from a host of other telecom and Internet service providers in the Bay area. Klein said much of the Bay Area’s telecommunications traffic moves over those tapped fiber-optic lines.
To view Joseph Conn's entire package on terrorist surveillance and electronic medical records, read "
EMRs could be fair game in war on terror," "A controversial lawyer, HIPAA and the privacy debate," "The tortuous path of the HIPAA privacy provision," "Potential exists for snooping in EHRs, experts say," "Government sets sights on health IT for surveillance," and listen to a podcast interview with Twila Brase, Possible EMR, national security interest links."
“It would be everything you could imagine,” Klein said. “E-mail, Web browsing, video, phone conversations, bank transactions; I would assume, unless they took extraordinary measures, medical data goes across there, too. These are the main pipes of the Internet. It’s open to everything from a government, spying on their critics, (to) petty corruption, like an insurance company spying on someone applying for insurance. We don’t know.”
A splitter diverted exact copies of all traffic flowing through those lines into a locked, secret room erected inside the AT&T building; Klein said he was told by a supervisor that the room was built at the behest of the National Security Agency.
The analyzer used in the operation, Klein said, was “designed to do high-speed searches. It would look at the content as well as the headers. It can sift through data as it’s passing through the pipe and snatch whatever you want. It can open up a phone conversation that’s sent over VoIP and pull out key words. It’s designed to look at content. That’s what makes it so scary. It was George Orwell’s ‘Big Brother’ machine.”
Of course there is encryption, and that’s why the intelligence services, if they wanted to gain access to health records, probably wouldn’t use the "Hoover vacuum" approach Klein’s revelations would suggest, several encryption experts contacted for this story said.
When it comes to tapping fast-moving EHRs at major switching points, the NSA may have met its match with 128-bit encryption, according to cryptographers contacted for this story.
Bruce Schneier is the founder and chief technology officer of BT Counterpane, a computer network security services provider and author of several books on encryption and cybersecurity. “Whether the NSA could break it if they wanted to is different than if they could break it Hoovering up everything in their path,” Schneier said. With all the traffic at a switch point, “They are drinking from a fire hose. Let’s say it could take 30 minutes” to decrypt a transmission. “That would take too long. If the name is encrypted, then no, because you’d look at 30 billion prescription records.”
Phil Zimmerman, of Palo Alto, Calif., popularized the use of open-source encryption software he developed, Pretty Good Privacy, which he authored in 1991. About the only way the NSA could clandestinely crack EHRs secured by 128-bit encryption common to healthcare as it flies through switching facilities under the circumstances described by Klein would be if the sender or receiver messed up, Zimmermann said.
“You could take 128-bit encryption and use it in a stupid way,” Zimmermann said. “You could have a steel door on your house 6 feet thick, but you could have a window next to the door that could be smashed. So, 128 doesn’t matter, if you have this other vulnerability,” which is heightened when medical records stop moving, Zimmermann said. Then, “It depends on who is holding the medical records and it depends on what policies are in place. Just encryption alone isn’t enough if you don’t have the right policies, because someone could just walk in from the government and say, ‘Hand over the keys.’ ”
And yet, traffic on today’s Internet carries a lot of medical information between people and healthcare information sources that the Health Insurance Portability and Accountability Act of 1996 never contemplated. Often, these communications do not get encrypted.
Barry Steinhardt, director of the technology and liberty program at the American Civil Liberties Union in Washington, said he has no way of knowing whether individuals’ EHRs have been accessed under the government’s warrantless wiretapping program, but the potential is there.
“We’ve gone from retail surveillance to wholesale surveillance,” Steinhardt said.
The ACLU has sued the Justice Department under the Freedom of Information Act to obtain government records related to a “secret surveillance program to intercept, without prior judicial authorization, the telephone and Internet communications of people inside the United States.”
“To what extent this involves medical records, I couldn’t tell you, or if anybody knows outside of the intelligence community,” Steinhardt said. “But plainly, if the data is communicated through the Internet and (telecommunications company) switches, they are subject to interceptions. It’s crystal-clear the telecoms have given the NSA breathtaking access to the communications stream.”
On July 10, President Bush signed into law the Foreign Intelligence Surveillance Act of 1978 Amendments of 2008, also known as the FISA Amendments of 2008. The new law prompted a well-published controversy and even a filibuster on the floor of the Senate because it grants amnesty from civil lawsuits, like Hepting, to the telecom companies for assisting the government in intelligence activities that were not only permissible under several specific laws but those activities authorized by the president in connection with an intelligence program after Sept. 11.
What was not so well-covered by the media is who the amnesty law also protects from civil lawsuits—any “provider of a remote-computing service” (such service is defined by law as “the provision to the public of computer storage or processing services by means of an electronic communications system”) or “any other communication service provider who has access to wire or electronic communications.” Could these two lesser-known amnesty provisions apply to healthcare data-miners and healthcare information exchange organizations?
That would be “a plausible reading of the statute,” according to Steinhardt.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.
