Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:46 PM
Connect Directly

Social Networks For Patients Stir Privacy, Security Worries

Facebook-like profiles and posts by patients put medical information at risk of theft, abuse

Social networking is infiltrating healthcare with platforms for patients to share intimate details of their diagnoses, medications, physical conditions, locations, and other personal data -- and not necessarily anonymously.

Members of emerging sites, such as PatientsLikeMe, DailyStrength, and HealthyPlace, for example, can post profiles similar to those on Facebook, and many users are posting their photos, hometowns, and personal health information that could ultimately be abused. And like mainstream social networks Facebook and LinkedIn, these online patient communities are attractive targets for identity thieves, spammers, and other bad guys trolling for valuable information, security experts say. They also could be used for targeted attacks, employers, or other people to gather private information about the patient that could be used against him or her.

Ironically, the emergence of these sites comes amid growing concerns over patient privacy and security of their data in the move to electronic medical records. Indeed, medical identity theft is on the rise: A recent Ponemon Institute study found 1.5 million Americans have been a victim of medical identity theft, to the tune of $28.6 billion, or about $20,000 per victim. According to the Smart Card Alliance report on medical ID theft (PDF) published this spring, patients hit by this crime typically don't learn about it until they receive a suspicious bill or a doctor notices something awry in their records; in the worst case, it can lead to medical errors and fatalities.

The new generation of patient social networks exposes users to these crimes, as well as other privacy breaches, experts say. Some patients are more willing to share personal information and details than others on these sites, which can serve as welcome or comforting outlets to patients or caregivers looking for support or more information. "There are people who are open and don't care. But there are some who want to participate and are thinking their identities are anonymous," says Nitesh Dhanjani, a senior manager at Ernst & Young and security expert.

Dhanjani says it's possible to uncloak the identities of even anonymous users on patient social networking sites, such as PatientsLikeMe. An anonymous member's information could be compared and correlated with his or her Facebook profile, for example, Dhanjani says.

"Some folks have diseases that unfortunately have a stigma attached to them [and they] sign up with fictitious names," he says. "It's still possible to ascertain these people's real identities by fingerprinting their grammar habits and, most importantly, the nicknames they use for their IDs. In other words, there are people out there declaring details of their medical records thinking they are anonymous, but they are not."

He says it's not difficult to correlate a user's Facebook profile or other online information with that of PatientsLikeMe, for instance, to gather the patient's identity information for phishing or other nefarious purposes. "We know from social networking that with one handle and any one piece of data you have in Facebook, you can easily connect the dots and link everything up" to learn more about a person, he says.

PatientsLikeMe has around 80,000 members, 10,000 of whom have public profiles that can be viewed by nonmembers of the site. Members can choose to be "visible," where registered members can see their profile and username and can contact them via the site. Or they can be "public" members, where nonmembers can view their profile data and registered users can contact them via the site. Executives from the social network were not available for an interview for this article.

Some healthcare organizations are starting to take note of the risks of these healthcare-centered social networking sites. Paul Brian Contino, vice president for information technology at Mount Sinai Medical Center and chair of the Smart Card Alliance's Healthcare Council, says social networking is definitely infiltrating the healthcare industry and bringing with it the related risks. "The patient population is very vulnerable" to fraud and cybercrime, Contino says. "If they have the time and tools, which are becoming more readily available for forensic auditing of this information, you can link together a lot of information [about someone], even if they are anonymous."

Patients on these sites who post their cities of residence can be traced, along with their IP addresses and where they had been hospitalized. An attacker could put the pieces together and determine someone's identity, Contino says. "What concerns me a lot is the average consumer on the Internet doesn't realize how sophisticated these [tools and social engineering attacks can be]," he says.

That could impact the patient's family's financial situation, for instance. "It's easy to link someone's ZIP code and location with their disease process and a couple of other pieces of information and cross-reference and figure out who that patient is," says Dr. Barry Chaiken, chief medical officer at Imprivata. That information could be used against the patient's family in a business deal, for example, due to the financial implications of the illness, he says.

Social engineers, too, could pose as patients and begin to extract enough information to steal the victim's identity and use it for prescription fraud or financial fraud, he says. "That's the risk I see in these social networks," says Mount Sinai Medical Center's Contino. "In a hospital institution, we have security officers and we train IT people to let employees know the risks. On the Internet, patients are [sharing this information] themselves."

Typically, healthy people are more likely to have privacy concerns, he says. "There's a strong dichotomy here," he says. Healthy people are more likely to be up in arms over privacy, whereas sick people are more willing to share because they are so eager for help or information, he says. "They don't recognize the risks at the time," he says.

Many of these social networks sell their data to pharmaceutical companies, for instance, and they can also provide a new conduit for marketing in the wake of the HITECH Act, which limits what patient health data can be used for direct marketing to patients, notes Contino.

Even so, social networks can't guarantee their members are who they say they are. There's no true authentication. Michael Magrath, director of business development for government and healthcare at security firm Gemalto, says that could allow a fraudster to pose as a healthcare professional on the site, which could lead to devastating results for a patient looking for medical advice, he says.

Meanwhile, the millions of dollars healthcare companies are spending to protect patient records could be in vain if some of these patients are willingly posting it online, Ernst & Young's Dhanjani says. "I understand the frustration healthcare organizations may feel. They are spending hundreds of millions of dollars trying to get their security controls in order with the ultimate goal of protecting medical records, while the patients themselves are publicly and voluntarily revealing the very same data. This is going to become a bigger conflict in the near future as more and more patients decide to leverage social networking applications like PatientsLikeMe," he says.

Healthcare organizations are too busy fixing traditional security controls to focus on this potential privacy conflict, he says. "They seem to have a myopic view of how social networking relates to their security posture, one that is solely based on monitoring their own employees. Healthcare organizations need to re-evaluate their investments in security efforts to make room for projects to make sure they are aligned with the business implications of their patients participating [in social networks]," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...