Security an Ongoing Task

We've seen much debate in the past on security and patient privacy.  Here's a brief reminder that (as we've argued) security is an ongoing process and not a one time fix.

“There’s nothing in security that you can do once,” says Kate Borten, president of the Marblehead Group, a consulting firm in Marblehead, Mass. “Risk assessment never stops. This is supposed to be ongoing.”

Everyone benefits when organizations focus on putting policies in place that make it more difficult to steal (or lose) sensitive data.

Federal Investigators Warn of Privacy Issues with US NHIN

This NYT article is getting a lot of looks recently.  The GAO is chiding the Bush Administration for pushing for EHR and interoperability without a firm and realistic security plan in place:

The Bush administration has no clear strategy to protect the privacy of patients as it promotes the use of electronic medical records throughout the nation’s health care system, federal investigators say in a new report.

This topic is in the news more and more these days and is clearly on the minds of many.  One interesting point I'd like to see clarified:

Several members of Congress have drafted legislation to clarify consumers’ control over such data. One proposal, by Senator Sam Brownback of Kansas and Representative Paul D. Ryan of Wisconsin, both Republicans, would establish health data banks in which people could store electronic copies of their medical records. Under the bill, a consumer would “maintain ownership over the entire health record” and could control access to it.

By contrast, under existing federal rules, hospitals and other health care providers generally do not have to obtain a patient’s consent to use or disclose information for “treatment, payment or health care operations.”

There's no mention of the logistics of the Brownback-Ryan proposal.  One wonders if they have any idea how that would work, what strictures it would impose on the healthcare industry, whether it's at all feasible, etc. . . .  For instance, if the "consumer" had control of what was in the "bank" there would still be data at the doctor's office.  Would the bill address the individual locations and how they protect patient data?  Would it be realistic to expect that the patient-controlled record could be used as an accurate, reliable record for doctors to work with?  We've already seen protestations against PHR that allow patients to "edit" their records.

Is this even something that Congress can be trusted to deal with?  Should the market be allowed to work out these issues?  Is it too early to answer any of these questions???  Any ideas?

HIT Security Trianing

Privacy and security are a process.  They require the proper mindset from employees of healthcare organizations.  This brief article serves as a valuable reminder that security is a weakest link proposition.  No matter how well conceived your organization's protocols are, they are only as strong as the actual practice.

[Tacoma (Washington) Community Colleg health information management  distance learning instructor Kelley] Meeusen advises trainers to ask employees at the beginning of training whether they’ve ever sought treatment at the facility.

“Now they have a personal stake. Then I start elucidating what information we hold--addresses, telephone numbers, Social Security numbers, birth dates--everything necessary to steal your identity,” he says. “We also know what diseases they have [and] what procedures they’ve had. We know whether they’ve had psychiatric care, whether they’ve abused their children, [and] whether they’ve cheated on a spouse--we know all of these things about our patients—and our patients include you, your loved ones, and your coworkers.”

IT staff and security professionals will do their part to ensure information security, but typical employees can practice safe password behavior, adhere to organizational policies, and report inconsistencies or problems to the information security officer. Even employees who probably don’t have computer access (e.g., housekeeping staff, security guards, etc.) can contribute to facility access control by noticing people or things that are out of place.

The piece goes on to discuss the role of ongoing training and oversight:

Constant reminders are most effective, Meeusen says. As a trainer, he employs a gamut of techniques--including newsletters and a station at the organization’s patient safety fair--to bring HIPAA to the forefront of employees’ minds and actions.

Security requires constant vigiliance.  But the price is worth paying.  As Meeusen points out:

“For us to accurately diagnose and treat our patients, we need them to tell us everything--even things that they’re not going to tell their spouse or their best friend. If they don’t trust that we’ll secure what they tell us, then they’re not going to tell us."

Democrats to Push HIT Legislation

The next congress is expected to take up some of the issues impacting HIT adoption in 2007, according to an article at GovernmentHealthIT.com.

Four themes are likely to emerge among the Democrats’ talking points: funding, privacy, systems interoperability and personal health records. Funding and privacy are potential sticking points.

Democrats will likely target funding to encourage small medical practices in underserved communities to adopt health IT. But Dave Roberts, vice president of government relations at the Healthcare Information and Management Systems Society, said they will have to be creative, because the Democrats have already committed to using a pay-as-you-go budgeting approach.

FutureHIT: Insider Security Threats Come in Many Forms

Dale Hunscher at FutureHIT puts together a few thoughts on IT security in an increasingly tech-oriented society.

The teenage hacker and the identity thief from some country in the former Soviet bloc get a lot of traction in the press as villains.

However, what I have come to understand gradually is expressed in the title of this article from last November on SearchSecurity.com: Insider security threats come in many forms. The most likely candidates for identity theft in your organization are the people working alongside you.

Exactly.  The laptop with sensitive data on it (which it shouldn't have) left in the car (where it shouldn't be) by an employee (who should know better) is a serious threat that has to do with the way security is approached culturally in the workplace.  There need to be security best-practices in place and they need to be enforced:

Companies must also be prepared to deal with people who create security risks without necessarily meaning to. If the network suffers a security breach because an employee was visiting seedy Web sites on company machinery, for example, there must be a plan for punishment.

"People need to understand that their computers are for business only and that they can be disciplined or even fired for using them for anything that isn't business related," Anderson said.

Or, you know, letting them get stolen with sensitive patient/client information in tow.  There are some other valuable insights, as well.  Click through and take a look.

Link

 

Akron Children's Hospital Hacked

As was mentioned here,in a comment form Dr. Darrell Pruitt,  Akron Children's Hospital had a major security breach back around Labor Day.  Due to various administrative reasons, the breach wasn't announced until nearly seven weeks later.  It looks like the hackers (apparently two - it's not clear if these were separate incidents) were able to view sensitive patient demographic data, including Social Security Numbers, as well as the bank account information and routing numbers of hospital donors (financial, not organ).  According to Bob Howard, the hospital's director of planning, "We don't know that anybody was actually affected.  All we know is, it's possible. The information was visible for the two hackers who were able to get into the system.... We don't even know if they took anything.''  The hospital's website states that no evidence was found that information was actually downloaded or otherwise compromised but the data were open to the hackers' view.

As to why it took so long, Howard says:

[when] the hospital realized that "it was theoretically possible'' that patients' personal information had been exposed to an outside threat [three weeks after the initial incident] [they] hired an expert to build a database of the names of the patients and donors at risk, which took several more weeks.

"I know that appears to be a long time, but it was as fast as we could get the information,'' Howard said.

We aren't intimately aware of the details this work involved but seven weeks seems like a lack of urgency reigned over this entire exercise.  That gave anyone who did, in fact, steal SSN adequate head start to cause serious damage to anyone whose data were compromised.

As Dr. Pruitt points out in his comments, it is incumbent upon those of us entrusted with this information to ensure its security to the best of our ability - whether we are the healthcare providers or the IT companies they hire.  What is just as important is to exercise appropriate measures in the event that our best efforts were not enough, that is to say, owning up to the mistake and taking the necessary steps to mitigate its effects.  It doesn't appear that Akron Children's did either very well.

Another stolen laptop. . . even rats learn eventually!

Upon first seeing this, we could barely bring ourselves to read another "stolen laptop" story.  Then, after further deliberation, it seemed right just to point out that, once again, it isn't the technology that's the problem here.  It's the UNBELIEVABLE stupidity of the person that leaves sensitive patient data in a mobile computer in their car.

[Alllina Hospitals spokesperson David] Kanihan said that the nurse whose computer was stolen said she had left the laptop in her car when she went in to a Minneapolis lab to drop off a specimen. The nurse believes she locked the vehicle, he added. The theft was reported to Minneapolis police.

It's so simple.  Never, never leave a computer with patient data anywhere where it can be stolen.  Don't leave it on the front seat while you run into the gas station for cigarettes; don't leave it in the trunk while you stop off to get a sandwich.  Just don't.  Handcuff it to your wrist, if you must, but don't ever let it be compromised.  You would think that after reading fifteen of these stories in the past six months, people would learn!

Patient Privacy Debate Rages On

We've posted on this topic a few times so any regular readers will have likely figured out that we're largely comfortable with the security of EHR.  Certainly there are issues that need to be addressed but overall, EHR is a good tool to help move medicine along into the new century.  On more than one occasion during this conversation we've run across the work of Dr. Deborah Peel, chairwoman of the Patient Privacy Rights Foundation (check here, here, and here for other mentions on this blog).  It's good to know that there are people out there that believe passionately in patient privacy rights; it's comforting that watchdog groups are working on our behalf to maintain our personal safety and privacy.  We're just not convinced that the agenda being advanced is productive; we've said it before and we continue to believe it. 

So when Dr. Peel posted an open letter on modernhealthcare.com railing against AHIMA and AMIA, we read it but didn't feel the need to post on it.  Today's response by Carol Newcomb of Knightsbridge Solutions was good to see, however, so we thought it would be productive to post on the debate and give links to the various arguments.  Take a look at the information and weigh it.  Please give us your thougths.  We have our opinion - let's hear yours.  Do you believe that electronic records are safer than paper?  Less safe?  Are you willing to trade a bit of privacy for the efficiency and efficacy of a paperless practice? 

A bit of ammunition to get the ball rolling: paper records have every major flaw inherent in electronic records PLUS you can't know that they've been compromised so you can't take counter-measures to remedy a compromise.  The value of electronic records far outweighs the privacy concerns and the efforts of groups like the Patient Privacy Rights Foundation, while undoubtedly well-intentioned, only serve to frighten folks away from adopting what we believe to be today's single most impactful healthcare tool.  Agree?  Disagree?

A nice quote from Ms Newbridge's letter:  It's time to take our heads out of the sand and use healthcare information wisely.  Can I get an amen?

UPDATE: To view Dr. Pruitt's article, click here.

Forbes.com: The Year of the Stolen Laptop

A synopsis of 2006 laptop thefts and the security compromises they caused.  We've posted on this issue before and we like this article because it points out what we've said in the past: The lax security measures that companies and people employ are at fault - not the data, its location, its applicaiton, or the hardware it was loaded on.

But can't they take precautions before they permit this? Was the material not password-protected? Don't these companies get computers with locks and keys? Was the data encrypted? Ernst & Young didn't encrypt the Hotels.com customer records that it allowed an employee to carry around. The Florida database was part of an anti-fraud investigation, but it wasn't encrypted.

The monthly newsletter I publish,  Privacy Journal, reported 24 serious instances of Social Security numbers and other sensitive data compromised through stolen or lost laptops in 2006. The newsletter called it the "Lost or Stolen Laptops Hall of Shame." And we still have four months left in 2006. There were at least ten incidents during the final four months of 2005. All these incidents involved companies that handle personal information routinely. (Apparently too routinely!)

The biggest insult was that the Federal Trade Commission, which is responsible for protecting Americans from fraud and identity theft, let two of its own attorneys leave the building in June with data about individuals--addresses, dates of birth, Social Security numbers, bank-account numbers--on their laptops. The devices were stolen. The FTC said it would provide free credit monitoring for those persons whose private data was compromised.

It's good to remember this while listening to the hue and cry of some "privacy advocates" who lambaste EHR as a vast, unsecured database for criminals and governments.  Instead, let's train the people using the applications to implement security best practices and operate within those guidelines.

Link (registration may be required)

CIA Link to Software Vendor Involved in NHIN Prototype Raises Questions

This is a lengthy piece at modernhealthcare.com but one worth reading.  The complex issues raised are indicative of the future debates looming as EHR, RHIO, NHIN, etc. . . continue to gain traction and come up against issues of patient privacy.  I'll summarize here but I recommend taking the time to acquaint yourself with this in more detail - it will be a recurring theme.

• Initiate Systems makes a software application used in healthcare to link patients to their reccords by running a probabilistic matching algorithm.
• The software is currently used by RxHub to check patient eligibility for drug benefits and by SureScripts, whose "data-transfer network is fast becoming a de facto standard for e-Rx linking between clinicians and pharmacies."
• Initiate also worked recently with the Veterans Health Administration to augment their patient identification system.
• Initiate Systems' software is used by MA-SHARE, a Boston-based RHIO that is participating in an HHS prototype of the NHIN.
• Initiate received "Series E" funding in February from In-Q-Tel, a venture capital firm founded in 1999 by - and still financed by - the CIA.
• All relationships, while not exactly publicized, were fully disclosed by both In-Q-Tel and Initiate Systems

So the software created and sold by Initiate Systems is used to sift through patient data and find connections between patients.  The average American's greatest concern about the creation of a national information exchange network for their health data is privacy.  The CIA is involved.  That seems like a scenario that could create some ripples. . . and it has.

Dr. Deborah Peel, chair of the Patient Privacy Rights Foundation "called the CIA connection 'outrageous,' noting that it simply doesn't pass the sniff test. 'Who doesn't believe if the CIA puts up that money, they won't have access?' Peel said. 'I'm still not satisfied.'"  Meanwhile, the folks in charge of almost all the principle players - with serious stake in how this relationship is perceived - don't seem concerned:

• Mark Overhage, with Indiana Health Information Exchange: "I don't worry much about the support Initiate has received. . . Initiate doesn't have access in any way."
• John Halamka, CEO of MA-SHARE: "I don't have specific concerns that the CIA would use this to compromise the privacy of health records. . . The Initiate algorithm is simply a generic way to take a whole set of information and filter through it."
• Rob Cronin, Director of Corporate Communications for SureScripts: "We use various technologies to deliver our services, but the makers of those technologies never have access to our systems and data, period."
• Daniel Garrett, VP and Managing Director of Computer Sciences Corporation (lead contractor in the MA-SHARE-NHIN prototype): "[It] is something I would definitely ask my team to take a look at, but what I think would come back is that it's software that's being imbedded and they (Initiate Systems) don't have access (to medical data)."

I'm ambivalent on this.  On the one hand, this is exactly the sort of thing that gives rise to statements (by Dr. Peel) that "[i]f privacy is not fully protected, we won't be building anything except the most valuable mother lode of information for data mining on Earth."  When people feel that their information is at risk, they aren't going to get behind a NHIN.  That won't make it any easier to implement.  So I say, perception-wise, this is - or at least could be - problematic.

On the other hand, many of the folks I've heard talking about this on the "patient advocacy" side seem a bit shrill.  Someone will always be there to point out that the sky is falling; it's easy to enumerate all the ways that bad things can happen.  And they aren't wrong.  Bad things can happen but it doesn't mean they will and it doesn't mean we should stop progress to avoid them.

In this instance, I think this is a bit of a tempest in a teapot.  But please click through, read the story, and tell us what you think.