Members of emerging sites, such as PatientsLikeMe, DailyStrength, and HealthyPlace, for example, can post profiles similar to those on Facebook, and many users are posting their photos, hometowns, and personal health information that could ultimately be abused. And like mainstream social networks Facebook and LinkedIn, these online patient communities are attractive targets for identity thieves, spammers, and other bad guys trolling for valuable information, security experts say. They also could be used for targeted attacks, employers, or other people to gather private information about the patient that could be used against him or her.
Ironically, the emergence of these sites comes amid growing concerns over patient privacy and security of their data in the move to electronic medical records. Indeed, medical identity theft is on the rise: A recent Ponemon Institute study found 1.5 million Americans have been a victim of medical identity theft, to the tune of $28.6 billion, or about $20,000 per victim. According to the Smart Card Alliance report on medical ID theft (PDF) published this spring, patients hit by this crime typically don't learn about it until they receive a suspicious bill or a doctor notices something awry in their records; in the worst case, it can lead to medical errors and fatalities.
The new generation of patient social networks exposes users to these crimes, as well as other privacy breaches, experts say. Some patients are more willing to share personal information and details than others on these sites, which can serve as welcome or comforting outlets to patients or caregivers looking for support or more information. "There are people who are open and don't care. But there are some who want to participate and are thinking their identities are anonymous," says Nitesh Dhanjani, a senior manager at Ernst & Young and security expert.
Dhanjani says it's possible to uncloak the identities of even anonymous users on patient social networking sites, such as PatientsLikeMe. An anonymous member's information could be compared and correlated with his or her Facebook profile, for example, Dhanjani says.
"Some folks have diseases that unfortunately have a stigma attached to them [and they] sign up with fictitious names," he says. "It's still possible to ascertain these people's real identities by fingerprinting their grammar habits and, most importantly, the nicknames they use for their IDs. In other words, there are people out there declaring details of their medical records thinking they are anonymous, but they are not."
He says it's not difficult to correlate a user's Facebook profile or other online information with that of PatientsLikeMe, for instance, to gather the patient's identity information for phishing or other nefarious purposes. "We know from social networking that with one handle and any one piece of data you have in Facebook, you can easily connect the dots and link everything up" to learn more about a person, he says.
PatientsLikeMe has around 80,000 members, 10,000 of whom have public profiles that can be viewed by nonmembers of the site. Members can choose to be "visible," where registered members can see their profile and username and can contact them via the site. Or they can be "public" members, where nonmembers can view their profile data and registered users can contact them via the site. Executives from the social network were not available for an interview for this article.
Some healthcare organizations are starting to take note of the risks of these healthcare-centered social networking sites. Paul Brian Contino, vice president for information technology at Mount Sinai Medical Center and chair of the Smart Card Alliance's Healthcare Council, says social networking is definitely infiltrating the healthcare industry and bringing with it the related risks. "The patient population is very vulnerable" to fraud and cybercrime, Contino says. "If they have the time and tools, which are becoming more readily available for forensic auditing of this information, you can link together a lot of information [about someone], even if they are anonymous."
Patients on these sites who post their cities of residence can be traced, along with their IP addresses and where they had been hospitalized. An attacker could put the pieces together and determine someone's identity, Contino says. "What concerns me a lot is the average consumer on the Internet doesn't realize how sophisticated these [tools and social engineering attacks can be]," he says.
That could impact the patient's family's financial situation, for instance. "It's easy to link someone's ZIP code and location with their disease process and a couple of other pieces of information and cross-reference and figure out who that patient is," says Dr. Barry Chaiken, chief medical officer at Imprivata. That information could be used against the patient's family in a business deal, for example, due to the financial implications of the illness, he says.
Social engineers, too, could pose as patients and begin to extract enough information to steal the victim's identity and use it for prescription fraud or financial fraud, he says. "That's the risk I see in these social networks," says Mount Sinai Medical Center's Contino. "In a hospital institution, we have security officers and we train IT people to let employees know the risks. On the Internet, patients are [sharing this information] themselves."
Typically, healthy people are more likely to have privacy concerns, he says. "There's a strong dichotomy here," he says. Healthy people are more likely to be up in arms over privacy, whereas sick people are more willing to share because they are so eager for help or information, he says. "They don't recognize the risks at the time," he says.
Many of these social networks sell their data to pharmaceutical companies, for instance, and they can also provide a new conduit for marketing in the wake of the HITECH Act, which limits what patient health data can be used for direct marketing to patients, notes Contino.
Even so, social networks can't guarantee their members are who they say they are. There's no true authentication. Michael Magrath, director of business development for government and healthcare at security firm Gemalto, says that could allow a fraudster to pose as a healthcare professional on the site, which could lead to devastating results for a patient looking for medical advice, he says.
Meanwhile, the millions of dollars healthcare companies are spending to protect patient records could be in vain if some of these patients are willingly posting it online, Ernst & Young's Dhanjani says. "I understand the frustration healthcare organizations may feel. They are spending hundreds of millions of dollars trying to get their security controls in order with the ultimate goal of protecting medical records, while the patients themselves are publicly and voluntarily revealing the very same data. This is going to become a bigger conflict in the near future as more and more patients decide to leverage social networking applications like PatientsLikeMe," he says.
Healthcare organizations are too busy fixing traditional security controls to focus on this potential privacy conflict, he says. "They seem to have a myopic view of how social networking relates to their security posture, one that is solely based on monitoring their own employees. Healthcare organizations need to re-evaluate their investments in security efforts to make room for projects to make sure they are aligned with the business implications of their patients participating [in social networks]," he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.