My name is Jen Gilburg and I am the Director of Business Development for the Identity and Authentication Solutions team here at VeriSign.
Google's announcement of the launch of a new program that allows users to post their medical records online caught my attention. While there are obvious benefits to having a centralized store of historical health information, medications, test results, etc., my first inclination was to be concerned about the security of such personal information.
Naturally I am inclined to believe that everything should have strong authentication. However, not wanting to be overly paranoid, I thought I would investigate just what the exposure is should one gain access to my medical records. I mean -- just how much damage could be done should someone discover that I have hay fever and a rather bizarre allergic reaction to arugula? Is there value in gaining access to my epi-pen prescription?
So I did some simple research. I first went to my insurer who has a portal for which I had previously registered for an online account. Once I logged in with what I will admit was a weak userID and password, I was actually surprised to see the ability to view my name, Group ID # and Member # -all in clear text! I could review my benefits, and should I have entered them previously- my online medical records. Additionally I could order online prescriptions, check claim status, and file pre-authorization forms for any medical procedure covered by my plan.
My paranoia was starting to feel justified.
I then went to my healthcare provider which is a regional medical foundation and also has an online portal. I was able to request appointments, book labs, renew prescriptions and see test results all by gaining access via a weak user name and password.
Alright so access is easy- a little more information than I care to admit is readily available- but what really is the risk of personal damage?
According to 2006 National Health Interview Study- 14.8% or 43.6 million Americans are without health insurance. That was a 2.2M increase over the prior year and this number no doubt is even higher once 2007 reports. With that there has been an increase in medical insurance fraud. It would be relatively easy to hijack an account, make appointments, order tests, and see the results all online using someone else's insurance and identity. Beyond the initial visit when asked to provide the insurance card, have you ever been asked for any validation of identity when visiting your doctor or for that matter when picking up a prescription?