As many will know, in April the Synlab facility was attacked by the BlackBasta collective. Among the data exfiltrated, in addition to identity documents and internal information on the facility, there were also many medical reports. In this article, we will examine the relationship between health data and file management, focusing in particular on management as a privacy protection measure.
File Management
File management is one of the most relevant aspects to ensure the protection of a patient/user’s privacy. A file, although non-speaking, could be placed in a folder that could reveal the identity of the person or, perhaps, the type of illness he or she is suffering from. There are normally three elements to pay attention to:
- File location: the file should not allow the user/patient to be identified explicitly (first name, surname, etc.), but should be based on a pseudonymisation principle using, for example, the patient identification number.
- File name: it could risk identifying the pathology of the subject or directly the name of the subject: especially if the file is named explicitly.
- File content: especially when it contains special information, it should be adequately protected against unlawful removal and opening.
To give an example: let us imagine that the user Mario Rossi has the patient ID 12345 and is hospitalised in oncology. Look at the difference between a classic file and folder structure and one designed to offer greater guarantees:
-Oncology
| Dr Giulia Bianchi
|-Rossi_Mario
|-20_05_2020-CT scan report Rossi Mario.pdf
|-12_06_2020-Consultation for migraine Rossi.doc
|-02_07_2020-Letter ASL glioblastoma for Rossi Mario.pdf
Already by imagining such a structure it is possible to reconstruct some information: Mario Rossi is being treated in the Oncology Department under the care of Dr Giulia Bianchi. He has a glioblastoma for which he underwent a CT scan in May 2020 and which was followed by a consultation for migraines in June 2020; the information is explicit and is, of course, all telling. Try, instead, to consider a different structure.
-REP04
|-73260
|-992749232
|-20_05_2020-CT report.pdf
|-12_06_2020-Department consultation.doc
|-02_07_2020-Letter ASL.pdf
Try now to answer these questions:
- What is the patient’s name?
- What is the name of the doctor in charge of the patient?
- Which ward is the patient in?
- What is the pathology the patient is suffering from?
Although it is possible to make assumptions, it is much more difficult to estimate the nature of the pathology: a CT scan is an examination that is performed for many purposes, not only in oncology. Moreover, it becomes impossible to identify the patient without knowing his or her identifier, just as it is impossible to identify the doctor treating him or her. The only way remains to get hold of the documents and open them.
The Synlab case and common errors
Among the documents stolen by the BlackBasta collective from Synlab, there was also a spermiogram which, if you looked at it closely, showed all the features to protect the patient’s identity. First of all, the name and surname is never mentioned, but above all, no other personal data that could identify the patient is given. The laboratory technician is never fully named: only initials are used. This prevents the person from being uniquely identified, protecting him or her from wrongdoing.
Inserting an examination in PDF format, within a folder named with the patient’s first and last name is, unfortunately, a common practice and is a major error that allows the examination to be associated with the subject and its conclusions. Imagine, in fact, finding folders named as follows:
Check-up_Maria-Whites
Check-up_Luisa-Neri
Check-up_Paola-Rossi
It is clear that this structure, with the attached files, would be much more explicit than the pseudonymised file and folder structure depicted above. The hackers published the contents of folders managed by SynLab, including the infamous report folder that would contain approximately more than 1,860 PDF files of clinical outcomes.
Accompanying the clinical information would then be technological information: passwords, internal addresses, configuration instructions, all kept perfectly ‘in the clear’ within Word documents or even in .txt format. In short, Synlab does not deviate from the routine of many other affected facilities, demonstrating that despite the ISO9001 certified by Bureau Veritas, we are a long way from the proper maintenance of information in quality and security.
Why management is important
An important aspect will not have escaped the notice of the most technical experts: even if a pseudonymised file and folder structure is adopted, in the presence of file exfiltration such as that suffered by Synlab, the information could be ‘reconstructed’, rendering the pseudonymisation mechanism useless. It would be enough to open the files in the folders, or to perform a normal search, to find out to whom the reports belong and to know their contents.
This means that it is not possible to process particular information in such a way. It is not smart and safe to keep thousands of reports in a normal folder even with the pseudonymisation rules listed above. Instead, it is necessary to operate within a more protected environment that, while facilitating the task of navigating between files and folders, adequately protects the archive. Management software serves this purpose and should be adopted by any structure that handles information of a special nature such as, for instance, health data. Although there are no requirements that explicitly prohibit the use of classic folders and a correctly set up filesystem, it is necessary to foresee the risk of an accident and to calculate the consequences, which would in any case be disastrous for patients.
Why is management different?
Management software is software designed to protect and facilitate the management of specific types of data. In the case of the health sector, the management software is able, for example, to maintain an easy search for patient information by doctors, without exposing this data to the risks of exfiltration. Management systems (especially those in the health sector) are based on fully encrypted databases that can only be read and used by authorised personnel. Any attempt at exfiltration would be in vain: the hacker would only find a pile of encrypted data that cannot be read, analysed and used in any way.
Why are they not used?
In many cases due to problems of practicality, time and training. Doctors have a complex, long working day and management software would require specific training in which the hospital does not want to invest. In other cases, there is an age problem that leads older doctors to lack the same technological confidence as younger ones. These are seemingly trivial problems and certainly unacceptable in the eyes of a patient, but they are real problems and they are everyday problems that the health management should actively manage by running training courses and providing doctors with the opportunity to ‘adapt’ to the use of a management system. These are all largely solvable problems.
Among other problems, there is also the conduct of the individual doctor, who could easily export the documents contained in the management system to be able to work outside the facility without guaranteeing adequate security, often contravening the rules imposed by the health management.
Finally, there is the criticism of application differences: doctors working in several facilities complain about the functional heterogeneity of management systems. This would lead to too much training and possible macro-differences in the use of the systems. Certainly, as far as the use of management systems is concerned, it is possible that for public facilities AgID provides a predefined set of commands, navigation modes, and general interface configurations. In this way, although developed by different parties, the management systems will appear similar to each other, guaranteeing continuity if the doctor changes structure. The intervention of AgID would precisely guarantee that harmony necessary to allow ‘widespread use’ of the various software solutions, without hindering the development of any additional functionalities with which each developer could enrich his own solution.
Conclusions
At the root, as always, there is therefore a cultural problem and a problem of good practices to which due attention is still not paid and which will necessarily have to change. The lack of adoption of a secure file management system will always entail the risk of illicit exposure of data to malicious actors of various kinds.
It is not only a problem stemming from ransomware attacks. It is worth mentioning that in 2022, DarkTracer successfully mapped millions of stealer threats installed inside information systems worldwide, with the aim of stealing information from infected computers. In most cases, these infections had not even been noticed by those responsible for the information systems. The problem is therefore not the ransomware threat, but the correct handling of files and information to avoid problems of various kinds.
Finally, there is no point lying about the cultural state of digital medicine in Italy: according to an article published in ANSA on 11 May 2024:
The electronic health record is updated barely once in five (…) Only 20% of family doctors update the electronic health record (…) we need common IT platforms between hospital and community facilities, because even if the doctors deployed in the latter update the electronic health record, today in many cases the IT systems of the various health facilities, even within the same region, do not communicate with each other.
Source: ANSA ‘Every year 2 million improper admissions and a waste of 6 billion’, Link
In short, there is no culture and therefore no adequate technological response. If technology is not told ‘what’ to do and ‘how’ to do it, it will be partially or completely useless.