With over 10,000 magazines published in the US, I rarely have time to read all of them. But I do make an effort to set aside a few hundred hours each week to read as many of them as I can.
Reading the current 2008/2009 Physicians Practice Annual Tech Guide provided a good helping of security food for thought. As a former physician, I occasionally like to check on the lack of technological progress in the healthcare industry. However, after reading this publication, I was pleased to find that both the Internet, and the digital storage of information, have been discovered and incorporated into the doctor’s office. Unfortunately, the concept of information security has yet to be understood by our community of clinicians.
An article mistitled, Security: Protect Your Practice and Sleep Better, contained some surprising factual information and some information that was surprising to read as facts. I may be the last person to know that identity theft is surpassing drug trafficking as the No.1 crime in the US, but now I know. Furthermore, the article provided the interesting factoid that a laptop is stolen every 53 seconds. By my calculations, if we all engaged in laptop theft, after approximately 264 steals, one would have stolen back their own laptop. I like to call it… “The Circle of Theft.”
The unsettling information contained in this piece came from the scary statistical information provided and the rudimentary security advice prescribed to physician’s practices.
Courtesy of the Privacy Rights Clearinghouse, we are told that 20% of medical data breaches are due to “human/software incompetence”. This is a disturbing statistic. Remember, this type of data breach is not necessarily the kind associated with identity theft or financial fraud (possibly preferable to some) that can often be remediated by canceling credit cards and closing accounts (and often not, thus ruining your life), it is the kind that publicly discloses why and where you’re applying Podofilox and perhaps why you’ve been responding to your Viagra spam. It may be a close call for some, but I’d choose identity theft over people knowing that much about my true identity.
The fact that a breach of data with such highly sensitive content can be attributed to “human incompetence” is just, well, incompetent. Using some preventive medicine, this problem could be treated by using one of the “two T’s” of security policy….training or termination. They also claim that a Gartner research study reveals that 80% of computer crime is committed by “disgruntled employees”. What?! I guess I missed that study, and all the others demonstrating how the “disgruntled employee” is by far the largest cyber threat we face. I’ll be sure to update the buzzword developers that the online equivalent of going “postal” is now called going “disgruntled”. Regardless, this statistic is bothersome in the context of medical data. It appears that data loss in the medical practice setting is primarily from employees who hate their jobs or those who just don’t understand them.
The security recommendations dispensed were both comical and self-contradictory. For instance, the quote by Stephen Moulton, director of product development for Innovative Card Scanning, “Paper can be copied, stolen, and taken without you even knowing it…”, was very informative, but I’m pretty sure that those things can happen to digital data as well (I remember reading the proof of concept).
There is an “In Summary” section in the margin that simplifies the article into a number bullet points. Despite their best efforts, it clearly shows why information security publications shouldn’t (and don’t) dispense medical advice (unless it’s viral related) and why healthcare publications shouldn’t provide information security guidelines:
- Don’t revert back to paper files. They are just as vulnerable — or more — to theft or loss. (sneaking file cabinets of paper patient records on to trucks seems a lot easier than 0wning a database)
- Invest in affordable theft-detection services that may be able to retrieve lost or stolen patient data. (make sure its affordable and that it may employ some sort of retrieval technology)
- If you electronically transmit patient data to a third party, such as a claims processing firm, do your best to ensure that transmission is encrypted on both ends. (don’t worry about security standards….just “do your best”)
- Physically secure all of your office’s hardware when closing your clinic at the end of each day. (and all this time I thought doctor’s offices were broken into for drugs)
- If applicable, learn about the security measures your landlord provides your office building. (only if applicable and only just learn about them)
- Consider purchasing new hardware that goes beyond password protection. (that’s exactly how its stated in the HIPAA requirements)
I left this article thinking, “Good intentions, bad advice”. My recommendations would at least contain the words…outsourcing, SaaS and HIPAA (in a bold 72 font size). Fortunately, being an android, my medical records are documentation from factory servicing and firmware updates.
Direct your disgruntled comments to: greyhat@computer.org