Wednesday, May 06, 2009
Editorial: Medical records held for ransom
A hacker invaded state databases and claims to have stolen millions of records about Virginians.
From the RoundTable blog
Read the latest entries
Attention Virginia doctors and patients with prescriptions: Some very bad people might have your personal information.
Last week, a hacker broke into state medical computer systems attached to the Internet. He possibly had access to records about doctors and now claims to hold more than 8 million patient and 36 million prescription records. He substituted the systems' home page with a ransom note saying he will give the records back if Virginia pays a $10 million ransom.
The hacker deleted the records while he was in the system, and in his ransom note taunts that the state's backups are missing. The extortionist threatens to sell the data on the black market if the state refuses to pay.
In the arms race between computer security experts and black-hat hackers, this sort of incursion is inevitable. That realization does not lessen the stress people whose records might be at risk now experience.
Yet Virginia must not capitulate lest it set itself up as a potential victim for every hacker out there. Besides, there is no guarantee the hacker would not sell the data anyway once he has received payment.
That decision is easy. The incident, however, presents much tougher challenges that stretch to the halls of power in Washington.
State technology officials have some serious explaining to do about how this happened and, more important, what they will do to safeguard databases in the future. If this one system was vulnerable, others might also be at risk. And who was responsible, state employees or contractors hired to manage state computers?
More troubling is the backup data. If it is missing, then a serious data management lapse occurred that demands individual accountability. Crucial information like this should be backed up regularly to other media and stored in a secure facility off-site.
President Obama might want to ask some questions, too. He chose Virginia Secretary of Technology Aneesh Chopra to serve as the nation's first chief technology officer.
This incident happened on Chopra's watch, and he must explain why Americans should now trust him with crucial information technology.
Finally, this breach of a medical server offers an important heads up to federal officials who believe digital medical records must be a cornerstone of reducing medical costs and improving care. Hackers will target those new systems, and the nation must be prepared.
It's one thing when private companies aggregate data volunteered by their customers. It's something else entirely when the state collects personal data on its citizens. Such databases deserve the highest protection.
