In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also talks about the specific problems associated with data security on peer-to-peer file sharing networks.
AARON WRIGHT: That makes good sense. So you keep coming back, it seems to me, to the sort of fragmented nature of the U.S. healthcare system, and you talked very early on about having a couple of theories about why inadvertent disclosures were so prevalent, you call “more prevalent.” I don’t want to put words in your mouth. Do you think that’s because of the fragmented nature of the healthcare sector?
DR. M. ERIC JOHNSON: Yeh. I really do. I mean from an IT perspective, the IT that is employed in the healthcare sector in the US – while there is some very sophisticated technology what we would call islands of automation – the kind of enterprise IT used to actually kind of run the business is less sophisticated than many other industries. The fragmented nature of the industry really drives that, but it’s not the only thing that drives that, the incentives for individual health care organizations to put large investments in enterprise IT have not been so clear. And, of course, I think that’s one of the things that the Obama administration is trying to change with this stimulus bill and the new legislation around that is to try to create incentives, financial incentives, for organizations to make investments in more enterprise IT.
I think one of things I find really interesting about this, something I’ve been puzzling through myself in the last few weeks, is that, among the privacy advocates, there’s a lot of concern about universal health care records and electronic medical records in general. I think that you have to separate out a couple of issues there. One issue is just the security of healthcare information, and I would argue that moving towards enterprise healthcare IT will improve the security of healthcare information over the ad hoc way we track information now. There are some privacy advocates that will argue that paper is inherently more secure and they have one point which is that, as information gets aggregated, the magnitude of disclosures could be much larger than stealing file folders individually. With that said, I think what they’re missing is that there’s a tremendous amount of information that’s already digital and I think they’re naïve to believe it’s not going to be more digital. In a very short time anyways, it’s all moving very quickly there. The question is how will it move and will it be moved into more secure kind of enterprise systems, or will it live in lots of smaller less secure applications? And, I would argue that moving towards enterprise or more enterprise IT format will enhance security in general across the U.S. healthcare system over time. Will it overnight? No. Then, will the transition be painful? Yes. But I think that I’d rather have them (enterprises) investing in security, and I trust their security a lot more than I would trust the security of a small office and their ability to manage my information in a spreadsheet.
But, then there’s the other issue, which I think is more legitimate from the privacy respective, and that is what policy decisions will we make about this information once it is universally accessible? And that’s another question which has lots and lots of implications. As the information becomes more universally available in more standard formats, then the temptation will be to use that information, of course, and to use it for both good and maybe not so good reasons. So, everything from public health initiatives to allowing firms to use that information to market to me or present opportunities from a healthcare provider that maybe I’m not so excited about, or to allow employers, or the U.S. government for that matter, to use that information to maybe make decisions about my own healthcare or the way I’ll be treated that isn’t so exciting to me also. That’s a really large debate, but that’s not, in my mind, a security debate, that’s a policy debate and it’s easy to get them mixed up.
AARON: You would say from a purely security perspective then, that greater centralization of the health records would be an improvement over the status quo?
ERIC: And moving towards enterprise IT solutions, which have far larger investments and security than many of the applications that exist today.
AARON: Just to highlight this point, because I think it’s an interesting one, your paper reports being able to access several thousand patients’ data with relatively little effort. You say you think that there’s an incentive for criminals to use more effort than the effort you put into finding this data. Do you feel comfortable ball-parking what percentage of people data might already be available to a determined criminal?
ERIC: That would be a hard one to ball-park and probably way out on a limb for me to do something like that. But I also think, that our little peer-to-peer experiment used a greater effort than a casual observer. I was working with a company called Tiversa and Tiversa has access to the major peer-to-peer networks, so we could see multiple networks at one time, and be able to track them over some period of time. Still, we weren’t expending very much effort and had a pretty small budget. But, you know, a more motivated individual would certainly be able to do more than we did and, of course, we were just looking at one little window, one little source of disclosure. There’s many other ways to harvest data from healthcare organizations than the peer-to-peer. And, so, I think that the data could be had and there is a lot of data out there.
AARON: So, I know, you are not very interested in peer-to-peer anymore. But, frankly, I am, so I want to talk to you a little bit about that, if that’s all right. So, why do you think it is that peer-to-peer is such a common way for this information to come out.
ERIC: Well, I think, probably there’s a couple of features of peer-to-peer that really facilitate this. This is a hypothesis of mine, if we had never killed Napster, if we had found a way to reform Napster to being with, maybe we wouldn’t be having this conversation. But as I said earlier, the death of Napster and then the subsequent legal maneuvering of the recording industry and other content owners against peer-to-peer file sharing created tremendous innovation in this space. And with that innovation came lots and lots of different clients operating on different networks each with their own motivations and interests. Some of them open source, some of them private companies. Many of them started as companies and then moved to open source over time. But in all those cases, you end up with lots of different clients. So you take the Gnutella network, there are many new clients that operate on Gnutella, and any particular user of one of those clients has different levels of sophistication and so forth, and so a lot of what we can ascertain is that many times it’s just user error, when they install the client that they end up exposing more information that they thought they would – their whole hard drive in some cases. Sometimes that’s because just ignorance of the user, other times it may be because the client itself was really designed in such a way to try to expose more information either maliciously or, you know, to facilitate file share. The peer-to-peer file-sharing community wants to make it as easy as possible for people to share information so many of the clients come up with wizards that look on your hard drive for media files and if you store media files in and amongst other documents,- for example, if you’ve got a bunch a stuff sitting in My Documents, media and otherwise – typically it’s going to suggest that you share My Documents folder and bam, you are sharing everything. And then, of course, there is malware, and there is a fair amount of malware growing in that community, so those things also end up causing users to expose.
AARON: One of the things we’ve been tracking on our blog is Congresswoman Mary Bono Mack has recently introduced a bill, I don’t know if you are aware of this, seeking to regulate peer-to-peer networks, and which would require clear and conspicuous notice of what files the peer-to-peer networks would be sharing and informed consent of the user before the installation of the software and one the initial activation of the file sharing functions. Just based on my description, does that seem like it addresses some of those concerns?
ERIC: I am aware of some of these actions and I think they’re completely futile. They’re interesting attempts. Everyone sees the problem and they want to fix it but the reality is, if you look at the pier-to-pier community now, there’s so few real companies left. When we had this hearing 18 months ago, there was a company called LimeWire and they could grab a CEO by the neck and drag him in there. But, that’s just one little piece and even since that time, now we’ve got open source versions of LimeWire, FostWire and others that are growing very quickly. Who are you going to regulate? And many of these are not U.S.-based anymore. They are completely open-source initiatives. I don’t see that it’s practical at all to try to get the different communities, these open-source communities, they are not going to adhere to the regulation and there’s no one to go grab by the neck and drag them into court and say, “change to your program”. So I think it’s nice for her or for them to create some hype around this or whatever, but it’s not going to have any real effect.
AARON: Do you see any potential legal solutions or do you think this is something that’s got to be dealt on the end of the user?
ERIC: I think there are two or three avenues to kind of try to reduce the peer-to-peer problem. Of course, user education, as you just eluded to, is a big piece. There are other avenues and some of them are pretty unpalatable. The internet service providers have been pointed to as one of the solutions. The security community and particular software that you can buy from security providers is another place to look. But I think that in all those cases, I really think about it more from a business point of view. You know, I think for business, the real issues is to try to prevent data from getting into ad hoc formats that then could easily be leaked out. Whether it’s through peer-to-peer or lost laptops or any of these other ways. And to say that we can go fix this peer-to-peer problem, I think it’s more a symptom. I don’t think we are going to fix it per se and even if we could, then there would be some other ways that the information can leak out. The real issue is better access control around the information and better control over the data from a business point of view.
AARON: Okay. That’s all the questions I had and we are about out of time. So, anything else you want to add before we go?
ERIC: Well, I think that the last thing I would say is that the next couple of years are going to be very interesting in this space, between the investments in healthcare and the new administration’s positioning around security. Melissa Hathaway has got her work cut out for her with a lot of interesting issues coming to bear. But I am quite optimistic we will make some good progress on information in the supply chain of any business. I think security will radically change over the next few years.
AARON: Thank you very much. I really appreciate your time.