Hacking the Doctor


By Zach Schepis

Photo courtesy of Quinn Dombrowski.

Theft of credit card information may be be a common fear, but what about surrendering precious healthcare information–such as treatments, needs, and patient descriptions–in the blink of an eye?

The idea is terrifying, sure, but so too is the prospect of a digital healthcare system that could forever remain clunky and unsecured. A future of cyber physicians subject to outside hacking who hold our lives in their artificial hands?

No thanks.

Thankfully, there are educated individuals fighting to keep scenarios like this from becoming realities.

Dr. Ross Koppel first stirred controversy in 2005 when he co-authored an article in the Journal of the American Medical Association that discovered a first-generation physician-order entry system (CPOE) at the Hospital of the University of Pennsylvania was continually manifesting new errors in the system even as it reduced others.

Now he’s an adjunct professor of sociology at the same university and serves as their principal investigator in the School of Medicine into the study of hospital workplace culture and medication errors. He has authored over 160 academic papers and articles, several monographs, and books regarding technology’s role in hospital workplaces.

Dr. Koppel took some time to talk with BTR about the consequences behind these faulty healthcare systems and what we can do to prevent compromised data in this very personal environment.

BreakThru Radio (BTR): There is currently a lot of discussion about information security in healthcare, such as Anthem announcing that more than 80 million individuals in their system were subject to a large data breach. What are the potential ramifications for healthcare data collection after events like this?

Dr. Ross Koppel (RK): There are several and some of them are not so immediately obvious. For instance, if you’re worried that the information that you give your physician or provider will be used by others, you may not be so forthcoming. That has dire consequences for your healthcare treatment. If you’re holding back critical information, whether it’s about something typical like constipation or something much more serious, the quality of medical care you receive will seriously deteriorate.

Another problem is that data, such as healthcare data, are prime topics for blackmail–especially in regards to politically sensitive issues. Because your social security number and credit card along with other identification numbers are integrated with that information, when someone hacks into your medical record they’re also tapping into your financial system. The potential for identity theft is severe.

BTR: So who do you think are the most likely perpetrators breaking into these information security systems in the medical field?

RK: Well the Anthem break-in was clearly executed by very sophisticated professionals, which suggests some sort of government involvement. A lot of the systems are so clunky with password sharing and people giving up on trying to remember all of their passwords which they are often forced to change and re-memorize every few months. They’re just trying to get the drugs for their patients, the supplies for those that are in need or sick. You see these supply cabinets lined with stalactites of yellow sticky note reminders so that they can remind one another and treat patients more efficiently.

It’s the nature of the healthcare industry that emergencies are very common, and clinicians don’t like watching patients get sicker, so they’ll inevitably bypass security systems that delay immediate treatment. But that creates vulnerabilities that end up spurring more vulnerabilities for others.

BTR: In what ways do they have to bypass security systems?

RK: I look at the role of work flow and the tasks and responsibilities of the people involved, and how when the software doesn’t align with the necessity of the workflow, people are obliged to do “work-arounds.” On the one hand, these work-arounds are what keep patients alive; on the other, they create dangerous vulnerabilities.
I’ll give you an example. A patient comes into the emergency room and they’ve been shot three times and are bleeding all over the floor. The doctor wants to order medications to save the patient’s life and is trying to enter the patient’s blood pressure into the system to do so, but the computer won’t let him. Nobody typically has a blood pressure of 40 over 20, but obviously most of the patient’s blood is on the ER floor, so this is an exception. But the computer doesn’t understand that and can only process it as an illegal entry.

BTR: So what does the doctor do about it?

RK: Well, to deal with it the doctor might enter a more normalized blood pressure of 120 over 80 so that the system will allow him to order the medication. But now he has to either go back and re-enter the proper data, or the doctor will be called before a professional committee that will challenge why he or she ordered so much medication for a patient whose vitals didn’t necessitate that kind of treatment. It’s a sort of no-win.

Another example is if you don’t have access to a particular patient’s information who is in immediate need. The doctor is forced to scream across the hallway, “hey Bob, what’s your code?” The situation is remedied, but maybe now other people have heard that important data.

BTR: So do you think that’s the biggest reason why the healthcare system lags behind others when it comes to protecting delicate personal information?

RK: I think there are other reasons. The only way personal information can be verified in the medical sector is through creating a unique patient ID. Unfortunately, that patient ID links your medical needs and details with your personal information, such as your social security number and sensitive financial data. If we could create a unique patient ID that just included your medical profile–what medications you need, allergies you have, etc–and didn’t mandate an inclusion of other sensitive identifying data outside of your healthcare, then there would be a much greater level of security.

To hear the rest of our interview with Dr. Ross Koppel, tune into this week’s episode of Third Eye Weekly.