State Prescription Monitoring System Protects Against Hackers

HealthLeaders Media Staff, May 15, 2009

Stan Tylman does not believe the Virginia Prescription Drug Monitoring Program was hacked by a crafty computer whiz who's about to get rich through a ransom demand.

"It looks like some college kids pulling some stunts," says Tylman, the manager of the Illinois Prescription Monitoring Program.

Nonetheless, Tylman pays close attention to developments surrounding the story of the VPMP.

A hacker broke into the VPMP Web site last month and left a ransom note that said it had more than 8 million patient records and 35.5 million prescriptions. It is demanding $10 million in exchange for the records.

Tylman and Illinois' program—which Tylman coined the "Prescription Information Library," or PIL–is already tweaking its Web site security in light of the Virginia incident.

Essentially, the Illinois system has two main ports to which information is disseminated from the 14 million patient records on controlled substance prescriptions. One port is open only to a specific IP address.

"The other port we're going to be changing somewhat based on what happened in Virginia," Tylman says, "to make it even more secure."

The Illinois Bureau of Pharmacy-run system also hired private computer experts to control its server and monitor data collection. The PIL also has an internal tracking system.

"We've got a tracking system for every time someone logs on," Tylman said. "We've got electronic volumes of this stuff. It traces exactly who goes into the system."

At one point, one of the 7,000 registered users of the monitoring program–composed of doctors and pharmacists only–continuously entered the wrong password as he tried to log in. Illinois' Web tech support manager called to let him know he forgot to capitalize a letter.

In addition, Illinois also hired an outside vendor to come in and try to hack the site to detect vulnerabilities.

"We're here to help, but we have to protect the integrity of the data from the mischief makers," Tylman says. "Even I can't get into the system."

It also conducts background checks on doctors who want to register for the program, which has been online for almost a year-and-a-half. Tylman's group checks on doctors' state and medical licensing numbers to see if they're in good standing.

"Then we Google them," Tylman says, "to look up and see that they're giving us a legitimate clinic."
Then, Tylman's group will give the clinic a call and ask if "Dr. X" works there.

"And we don't sign them up until then," Tylman said.

While the potential is there for a breach of millions of patient records, like in Virginia, Tylman says the prescription monitoring program is a bargain. When it went to electronic files and did away with the massive paperwork system, the cost to operate dropped from $750,000 to $200,000 a year. Doctors and pharmacists now spend only about $10,000 to $25,000 per year to participate, down from millions, Tylman said.

Not only can it help doctors control substance abuse among patients, it also aids criminal investigations. Illinois law enforcement officials make about six to 12 requests for records per week.

But there's always the security risk, and Tylman says his group is vigilant in protecting private information of patients--especially in light of Virginia.

"Hackers can add stuff on the edge and break through these systems," Tylman says. "There are key loggers who are real slick about that. They'll try to put in software that records key strokes. We're taking steps to prevent that."

Facebook icon
LinkedIn icon
Twitter icon