22C3 - 2.2

22nd Chaos Communication Congress
Private Investigations

Speakers
Karin Spaink
Schedule
Day 1
Room Saal 2
Start time 12:00
Duration 01:00
Info
ID 489
Event type Lecture
Track Society
Language English
Feedback

Hacking health

Electronic Patient Records in The Netherlands

I have been researching the implementation of electronic patient records (EPR) in NL. The first part of EPRs - a national database of medication that each patient is described - will become mandatory in early 2006.

To 'ease the implementation' of a national EPR database, all Dutch citizens will be given a Civil Service Number which supplants our social security number. This CSN - which is actually the same identifier as your social sucurity number - will be used in health services, school, child care, work and taxes. The Dutch government states that this the use of this CNS will be regulated 'within existing European privacy laws' but also adds that using one identydying number in all social areas, including health care, is 'helpful in matters of law enforcement'. On top of that, national electronic (biometric) identity cards will be issued, allegedly to allow citizend (patients) to log in to heir personal EPRs, notwithstanding the fact that hardly any EPR software exists that allow patients to log in. In other words, EPRs are at least partially used to sell biometric identity cards.

EPR implementation is supposed to reduce bureaucracy in health care, and to reduce the amount of medical errors; thus, it supposedly helps to cut down costs. Policy makers do not seem to take into account that automating EPRs creates a new subset of medical errors (input errors now being the 4th most common reason for medical errors). Also, they overvalue using computers, believing them to be 'flawless'.

Security around EPRs is bad. One Dutch hospiyal was not able to see policlinic patients for a week, due to a computer virus. More hospitals have ad virus problems but have refrained from stating so. The Dutch Health Inspection issued a warning that a pharmacy software program used to calculate mediaction dosage, iscalculated the amount for 200 medicins, amongst themm cytostatics.

To test the safety of hospital computer systems, I organised a penetration test with two random hospitals that used EPRs. We were able to access 1.2 million patient records.