Today I read in the British publication The Telegraph that a London hospital is making plans to move patient records “into the cloud” (which is to say, they wish to make the patient’s records available online). You can click here to see the Telegraph Article
Folks, this is as BAD an idea as I have seen since it was proposed that presidential elections in the United States should use online voting!
Why is this a bad idea? I can spell it out for you in one word: Security (as in “the lack of”).
If you have followed the news at all this year, the number of so-called “secure” systems whose data have been compromised is astounding:
And the list just keeps going on and on…
Folks, I’m going to give it to you straight. I am a computer scientist who holds both a Bachelors and a Master’s Degree in computer science and has over thirty years in the profession…and I will tell you that in the final analysis, your data online IS NOT SECURE!
Encryption, the scrambling of data that so many online databases tout as protecting your data, can be broken (and has been broken time and time again). Multiple method user identification (like the RSA Secure ID device) has been broken as well (see above). SSL certificates, the things that let you log into a website “securely” for things like online banking or making purchases, have been “forged” in the past. Passwords most certainly are not secure (so many can be simply “guessed” with just a little information about the account holder), and this is before we even BEGIN to factor in:
- Unscrupulous employees of the companies that are supposed to be protecting your data (a.k.a. “inside jobs”)
- Social Engineering – a con method of getting someone to reveal key information about their account so that a hacker can compromise their data
- Human error where data is exposed to the public by programmer or administrative error rather than by being “hacked”
Given the list above (and this is just some of the more largely publicized break-ins), I don’t think you need to take my word for it. Read those articles and do some searching for yourself online. If your data online was that secure, then why are there so many break-ins being experienced by these so-called “secure” computer systems?
Now bringing it back to patient records online, Tony Lucas, the founder of Flexiant, the company that is putting all of this together, is either misinformed or just plain lying. Again I direct you to the list of compromised systems above. There are techniques that can help secure your data against amateurs trying to gain access to it, but in the face of determined system crackers, the evidence is overwhelmingly against him that your information is actually secure.
Most distressing to me is that Mr. Lucas is making noise about this information being available via mobile phones…a technology that to date has still not demonstrated that it can be safe from malware.
When it comes to the computer security techniques employed today, I like to use the analogy of someone who wants to steal your car. Do you lock your car doors? I know I do. Do I think that it 100% protects my car from theft? Of course not! If someone really wants my car…there are ways to get it. Same thing with car alarms. Do you think that just because you put an alarm system on your car that no one is capable of stealing it? For me, the answer is “of course not.”
The goal of many protection systems on a vehicle (such as locking the doors or installing an alarm system) is to prevent the mischievous kid, the amateur, or the opportunist from stealing your car. I think most people are aware of the fact that if a professional car thief wants your car, they ARE going to get it.
And so it is with computer security.
We use encryption, secure IDs, SSL certificates and passwords to protect our data against the amateurs, the opportunists, etc. If a “professional” wants to steal our data…their odds of getting it are pretty good.
With the state of security being what it is, do YOU feel good about having YOUR medical records placed online? The potential for abuse is enormous, and the protection that these companies are offering up for your data is by no means air-tight.
Please keep all of this in mind the next time someone offers to put your medical records online, or to have voting for the next President of the United States handled online.