About Tuck
News and Events
The Tuck MBA
Careers
Life at Tuck
Faculty and Research

Faculty Directory

Academic Areas

Faculty News & Publications

- Articles

- Books

- Cases

- Faculty Voices

- Tuck Forum

- Working Papers

Research Centers

Faculty Recruiting

Alumni Network

Admissions
Connect With Us
Virtual Tour
Visit Us / Interview
Attend an Event
Apply Online

Executive Education
Recruiters
Business Bridge Program
A Campaign for Tuck

Data Hemorrhages: Digital Medical Records Run Wild

Electronic medical records are in the news, with President Obama calling for the medical records of every American to be digitized by 2014, and the stimulus package providing $19 billion to make it happen.

The plan's many critics are concerned about data security, but recent research by Tuck professor M. Eric Johnson shows that patient data is already hemorrhaging from the health-care system. His antidote, however, may surprise you: "Moving hospitals and health-care organizations towards larger, enterprisebased software systems—which is exactly what the Obama administration is pushing for—will in fact improve this problem," says Johnson.

Johnson's new research shows that the danger comes less from digital medical records than from the ad hoc programs on which many of them are stored, including Excel files and Microsoft Word documents. From those highly insecure formats medical data can go almost anywhere. "When these data get into things like spreadsheets, the inadvertent disclosure comes from all over the place—lost laptops, portable zip-drives, and even email," Johnson says.

Johnson and his colleagues examined data hemorrhages from one such source: Internet-based file-sharing networks. Users who connect to these so-called peer-to-peer (P2P) networks, many of whom do so at work, permit others to search for and copy files stored on their computers. While the overwhelming majority of P2P users are hunting for, say, the latest Jonas Brothers hit, fraudsters can as easily search for medical identities to exploit.

Johnson and his colleagues searched the four most popular P2P networks for keywords associated with Fortune magazine's 10 largest publicly traded healthcare companies, which together account for nearly $70 billion in health-care spending. An initial sample collected over two weeks yielded 3,328 files, 389 of which were relevant to health-care or the target firms. About five percent of those contained sensitive information.

Johnson then focused on those P2P users whose computers contained the most sensitive files. That search uncovered sensitive information on tens of thousands of individuals, including medical and psychiatric diagnoses. One such document, a government employment application stuffed full of personal details, ironically included a three-page Privacy Act warning. Another contained the names, Social Security numbers, and health insurance providers of more than 20,000 people. Highly personal information of this type is fodder for any number of nefarious purposes, from conventional financial identity theft and medical billing schemes to the fraudulent acquisition of medical services and prescription drugs.

As financial institutions have become more secure, and also much better at detecting fraud, health-care is now emerging as the next big target for data theft, Johnson says. The fragmented network of providers and supporting companies makes the health-care sector especially vulnerable to identity theft and related fraud. These crimes can do tremendous damage to an individual's reputation and health, and the monetary costs are staggering.

"With the electronic availability of this kind of data, it's much easier to perpetrate a large crime and to do it more quickly," Johnson says. Take, for example, the clinic desk supervisor whose role in a $7.1-million fraud was to telephone an accomplice with personal information about the people she admitted, one patient at a time. "That's just kind of a slow drip," Johnson says. "But if she can get 20,000 patients on a spreadsheet and email that to somebody, wow."

This article appears in the May 2009 issue of Tuck Forum.



M. Eric Johnson is the director of Tuck's Center for Digital Strategies. He recently testified before the U.S. Congress on the center's information risk research and moderated a cyber security forum sponsored by Senators Lieberman and Collins. The forum conclusions were released by the senators in February in National Cyber Security: Research and Development Challenges Related to Economics, Physical Infrastructure and Human Behavior.

 

M. Eric Johnson, Data Hemorrhages in the Health Care Sector, forthcoming

More about M. Eric Johnson

Video Icon

Professor M. Eric Johnson on Medical Identity Theft

 

Copyright © 2009, The Trustees of Dartmouth College. All rights reserved. + Dartmouth + TuckStreams Intranet