04:46 PM
Connect Directly

Social Networks For Patients Stir Privacy, Security Worries

Facebook-like profiles and posts by patients put medical information at risk of theft, abuse

Social networking is infiltrating healthcare with platforms for patients to share intimate details of their diagnoses, medications, physical conditions, locations, and other personal data -- and not necessarily anonymously.

Members of emerging sites, such as PatientsLikeMe, DailyStrength, and HealthyPlace, for example, can post profiles similar to those on Facebook, and many users are posting their photos, hometowns, and personal health information that could ultimately be abused. And like mainstream social networks Facebook and LinkedIn, these online patient communities are attractive targets for identity thieves, spammers, and other bad guys trolling for valuable information, security experts say. They also could be used for targeted attacks, employers, or other people to gather private information about the patient that could be used against him or her.

Ironically, the emergence of these sites comes amid growing concerns over patient privacy and security of their data in the move to electronic medical records. Indeed, medical identity theft is on the rise: A recent Ponemon Institute study found 1.5 million Americans have been a victim of medical identity theft, to the tune of $28.6 billion, or about $20,000 per victim. According to the Smart Card Alliance report on medical ID theft (PDF) published this spring, patients hit by this crime typically don't learn about it until they receive a suspicious bill or a doctor notices something awry in their records; in the worst case, it can lead to medical errors and fatalities.

The new generation of patient social networks exposes users to these crimes, as well as other privacy breaches, experts say. Some patients are more willing to share personal information and details than others on these sites, which can serve as welcome or comforting outlets to patients or caregivers looking for support or more information. "There are people who are open and don't care. But there are some who want to participate and are thinking their identities are anonymous," says Nitesh Dhanjani, a senior manager at Ernst & Young and security expert.

Dhanjani says it's possible to uncloak the identities of even anonymous users on patient social networking sites, such as PatientsLikeMe. An anonymous member's information could be compared and correlated with his or her Facebook profile, for example, Dhanjani says.

"Some folks have diseases that unfortunately have a stigma attached to them [and they] sign up with fictitious names," he says. "It's still possible to ascertain these people's real identities by fingerprinting their grammar habits and, most importantly, the nicknames they use for their IDs. In other words, there are people out there declaring details of their medical records thinking they are anonymous, but they are not."

He says it's not difficult to correlate a user's Facebook profile or other online information with that of PatientsLikeMe, for instance, to gather the patient's identity information for phishing or other nefarious purposes. "We know from social networking that with one handle and any one piece of data you have in Facebook, you can easily connect the dots and link everything up" to learn more about a person, he says.

PatientsLikeMe has around 80,000 members, 10,000 of whom have public profiles that can be viewed by nonmembers of the site. Members can choose to be "visible," where registered members can see their profile and username and can contact them via the site. Or they can be "public" members, where nonmembers can view their profile data and registered users can contact them via the site. Executives from the social network were not available for an interview for this article.

Some healthcare organizations are starting to take note of the risks of these healthcare-centered social networking sites. Paul Brian Contino, vice president for information technology at Mount Sinai Medical Center and chair of the Smart Card Alliance's Healthcare Council, says social networking is definitely infiltrating the healthcare industry and bringing with it the related risks. "The patient population is very vulnerable" to fraud and cybercrime, Contino says. "If they have the time and tools, which are becoming more readily available for forensic auditing of this information, you can link together a lot of information [about someone], even if they are anonymous."

Patients on these sites who post their cities of residence can be traced, along with their IP addresses and where they had been hospitalized. An attacker could put the pieces together and determine someone's identity, Contino says. "What concerns me a lot is the average consumer on the Internet doesn't realize how sophisticated these [tools and social engineering attacks can be]," he says.

That could impact the patient's family's financial situation, for instance. "It's easy to link someone's ZIP code and location with their disease process and a couple of other pieces of information and cross-reference and figure out who that patient is," says Dr. Barry Chaiken, chief medical officer at Imprivata. That information could be used against the patient's family in a business deal, for example, due to the financial implications of the illness, he says.

Social engineers, too, could pose as patients and begin to extract enough information to steal the victim's identity and use it for prescription fraud or financial fraud, he says. "That's the risk I see in these social networks," says Mount Sinai Medical Center's Contino. "In a hospital institution, we have security officers and we train IT people to let employees know the risks. On the Internet, patients are [sharing this information] themselves."

Typically, healthy people are more likely to have privacy concerns, he says. "There's a strong dichotomy here," he says. Healthy people are more likely to be up in arms over privacy, whereas sick people are more willing to share because they are so eager for help or information, he says. "They don't recognize the risks at the time," he says.

Many of these social networks sell their data to pharmaceutical companies, for instance, and they can also provide a new conduit for marketing in the wake of the HITECH Act, which limits what patient health data can be used for direct marketing to patients, notes Contino.

Even so, social networks can't guarantee their members are who they say they are. There's no true authentication. Michael Magrath, director of business development for government and healthcare at security firm Gemalto, says that could allow a fraudster to pose as a healthcare professional on the site, which could lead to devastating results for a patient looking for medical advice, he says.

Meanwhile, the millions of dollars healthcare companies are spending to protect patient records could be in vain if some of these patients are willingly posting it online, Ernst & Young's Dhanjani says. "I understand the frustration healthcare organizations may feel. They are spending hundreds of millions of dollars trying to get their security controls in order with the ultimate goal of protecting medical records, while the patients themselves are publicly and voluntarily revealing the very same data. This is going to become a bigger conflict in the near future as more and more patients decide to leverage social networking applications like PatientsLikeMe," he says.

Healthcare organizations are too busy fixing traditional security controls to focus on this potential privacy conflict, he says. "They seem to have a myopic view of how social networking relates to their security posture, one that is solely based on monitoring their own employees. Healthcare organizations need to re-evaluate their investments in security efforts to make room for projects to make sure they are aligned with the business implications of their patients participating [in social networks]," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.