“Friendly attacks” against patient data

ITSV GmbH coordinates and manages all IT activities of the Austrian social security funds and is responsible for developing central services and operating data centers. The company also operates the Customer Care Center, which handles inquiries from beneficiaries and contract partners about the E-Card, among other things. ITSV GmbH has been certified according to ISO 27001 since 2011. Hubert Wackerle and Erwin Fleischhacker are ITSV GmbH’s managing directors.

How is Austrian beneficiary data protected at ITSV GmbH? What concrete measures are applied to provide the necessary protection?
Wackerle: The protection of this data involves a number of different aspects. First, one of the most important departments in our company is dedicated to security and risk management. At the personnel level, we regularly conduct security training to create and maintain security awareness among our employees. We also hold internal competitions that deal with the subject of “security and employees.” It is well known that one of the greatest security risks in a company is its employees.

I agree with you, but creating awareness is not enough in and of itself. What else do you do?
Wackerle: Another security measure that ITSV GmbH has implemented to protect data is the introduction of high security standards for its infrastructure. A special, chip-based system controls access to all offices. For example, one of our data centers can only be accessed after an authorized person has presented identification and passes a vein scan.

We also operate the central Internet node for all social security funds, and can do a lot to protect it. We use many different technologies that are available on the market, from virus scanners to encryption systems and intrusion detection models. Within the social security system, we operate the corporate network of the social security funds. This is a closed network with no external access to ensure secure communication between the individual social security funds.

You also conduct simulated hacker attacks. Are these equivalent to real attacks?
Wackerle: In reality, we are not a primary target at this time. We are not really subject to attacks. When we receive an alarm from the CERT center, we of course investigate it in depth. Hackers have attempted to penetrate our system, but none has been successful yet. The attacks that we initiate are the same as would be made by a genuine attacker.

The white hat hackers work with the same methods as the black hat hackers. The difference is that we receive reports about the test attacks that show exactly what was done, how far the person got, by what avenues the system can be accessed, and where improvements should be made. We immediately implement improvements on the basis of these reports. This is always very interesting for us, because we do not know when these “friendly attacks” will take place.

Where exactly is the beneficiary data saved? Is there more than one data center, and is the data backed up?
Wackerle: We have three data center sites where we save beneficiary data, and consider all of them together to be one data center. Two of these sites are in Vienna, which are synchronous and mirrored, and one in Linz, which stores data asynchronously. The third site is set up primarily for our test and development environments. However, this site would be able to take over emergency operation on the next business day if both sites in Vienna were to fail so that the most important functions would be available to the social insurance funds. This is just a contingency for a catastrophe, however.

The data center sites in Vienna were relocated last year. That was a very complex project. The sites are generally unmanned, except for hardware maintenance and operation technicians. And speaking of security, there is no automatic access at any of our data centers. Access is only possible with advanced registration and proper identification.

To get into one of our sites, a person must undergo a vein scan. Then, the person is given an access card that lets them pass individually through a security system. There, the access card is checked, and a vein scan must be completed again. The first of the interlocking doors only opens when the results are identical, and there is only space for one person between the doors. The first door closes, and the second door then opens, allowing the person to enter the site. This is high security like in Mission Impossible. Practically no one can get in, there are only a few people with permanent access authorization. Everyone else, including us, has to register a day in advance and submit identification. Everything is documented in detail, and access authorization is then granted for a specific time period.

How much data is saved? Can it be called “big data”?
Fleischhacker: We have roughly 14 million master data records for social security beneficiaries. These master data records are very current, because they are updated every day. We also want to keep the master data as current as possible. That is one of the reasons that we were selected as a partner for the electronic medical file. Another important reason was definitely the central patient index, which we operate. This contains all important information that is needed for the electronic medical file.

Wackerle: We have 1.3 petabytes of total storage capacity, or nearly 3 petabytes when you take mirroring into account. That is quite a lot, I would call it “big data.” Our data volume grows by 25 to 30 per cent every year. The speed of this data growth has increased considerably in recent years. We work with a relatively large quantity of structured data. Secondary data, like from social networks such as Facebook, is not very relevant for us at this time.

Do you plan on processing secondary data? It sounds like you are thinking about it.
Wackerle: No, not directly, but the question is always how the business model of a social insurance fund will change. Will it one day want to contact its beneficiaries through apps and smartphones? Do they want to begin using social media because people want that? Things are changing very rapidly, so we cannot rule this out. We don’t expect to work with social networks, but we will see.

So you protect the data by only saving it in Austrian data centers, but are also thinking about using data from portals like Facebook that have rather loose data protection standards. Do Austrian social security funds want that?
Wackerle: Of course not! Data security is extremely important. Every beneficiary should trust in the fact that his or her social security information is physically located in Austria, and that this information will not be stored or shared anywhere else at all.

It sounds like our beneficiary data is a lot safer than the medical information that our doctors have. At some offices, someone’s medical file will be open on the screen in front of you while the doctor is treating that patient in the next room. How secure is this information in doctor’s offices?
Fleischhacker: This does not fall under our responsibility. Every doctor is responsible for ensuring that the data he uses is protected. We don’t want to comment further on that.

Erwin Fleischhacker and Hubert Wackerle from ITSV GmbH

After roughly 350 doctors are said to have sold medication information about their patients, some people are wondering how safe their information will be with the electronic medical file that is currently being established. What do you think?
Fleischhacker: ELGA GmbH will be responsible for defining the security requirements for using the electronic medical file, and for ensuring that they are met. Because the electronic medical file is a decentralized system, every operator and participant, including ITSV GmbH, will have to implement and comply with these security requirements to participate in the electronic medical file. Violations of these requirements can lead to temporary access suspensions to ensure that the overall system has a consistently high level of security.

One of the most serious criticisms that security experts level against the electronic medical file is that the data is transmitted in encrypted form, but stored in unencrypted form.
Wackerle: The data in the electronic medical file will be saved where it is saved today. All the electronic medical file does is allow this data to be networked – it does not mean that the data is saved at a central location. There is no data center where all electronic medical file information is stored. The system only allows the data that is saved there to be viewed. Unencrypted storage is relevant where data is saved in unencrypted form today. And that brings us back to what we were talking about before.

What data is saved in your data centers in connection with the electronic medical file?
Fleischhacker: The master data, the central patient index and the log data, in particular who submitted a query to where, and what that person accessed. The medical data is not stored on our servers, but where it is originally collected.

What exactly is a central patient index?
Fleischhacker: The central patient index shows everywhere where data that is relevant for a person’s electronic medical file is stored. When you submit a query with a name, the system checks who that person is and where medical information that is relevant for his or her electronic medical file is located. If a doctor wants to access patient information for treatment purposes, the patient can release this information.

Wackerle: The primary aspect is the unique identification of a person. Then, the system knows that information about you is stored at specific locations. The identification process is complex. At hospital X, your information may be saved under the name Wackerle H., and under Hubert Wackerle at another hospital, and under Wackerle Hubert at a third hospital. The system at a single healthcare facility knows who I am, but identifying me consistently throughout the entire system is not so easy. The central patient index combines these data records, and in that way can uniquely identify a person.

The electronic medical file portal for patients – won’t that be an attractive target for attacks?
Fleischhacker: Do you use online banking?

Wackerle: Of course the electronic medical file portal itself will be an attractive target because it contains sensitive information. ELGA GmbH will have to employ all the security measures that are necessary to prevent unauthorized use of any kind. First of all, there are very strict punishments under law. Because everything is being designed and set up by people, we can assume that people can also penetrate it. So we have to do everything we can to prevent that.

Do you think the concerns about the electronic medical file are justified?
Fleischhacker: I think that the main reason that people have been and still are concerned about the electronic medical file is untrue stories, along with aspects that still need to be clarified and determined. There will be an extensive information campaign in the second half of 2013 to provide everyone with extensive information before the launch of the electronic medical file on January 1, 2014.

Do you think that the advantages outweigh the risks?
Fleischhacker: I am certain that the advantages outweigh the risks. There are countless examples like your story of the doctor, and anyone who thinks that their information is more secure now than it will be after the electronic medical file is wrong, in my opinion. There will be no more risk of double examinations, it will be possible to avoid contraindications – these are all things that I welcome personally.

Won’t the electronic medical file make people more transparent?
Wackerle: I don’t think that it will make patients more transparent. The information is already available today. For me, the electronic medical file is a quantum leap in healthcare.