Tuesday, May 6, 2008

Lapses in the Health Care Industry

Are you are a security professional charged with protecting patient records maintained by your employer such as a hospital or medical insurer?

Then don’t miss Sarah Rubenstein’s April 29th round-up in The Wall Street Journal of the issues and most egregious recent breaches involving poorly protected medical records. (Sarah’s article is also useful if you are simply concerned about your own digitized medical records and issues of personal privacy.)

Most of the media attention in recent weeks about patient records has focused on a few Hollywood stars who allegedly had their records and their privacy invaded in Los Angeles. There has been at least one indictment since Sarah’s article, based on evidence that some of the information may have been sold to the media itself.

But the problem for those who guard those records is only going to get much bigger as hospitals and other health care institutions begin complying with the industry’s determined press to adopt electronic records for patients – making access quicker and easier in a crisis.

The intent of the industry initiative is to give a sharp and final shove to Luddite medical doctors and hospital bureaucrats who keep vital medical records on unprotected scraps of badly filed paper … and who have traditionally refused any and all reasonable attempts to master contemporary data recording and retrieval systems.

But the transition to digits is creating security nightmares of its own.

And the problem, says Sarah in her April 29 article, goes well beyond celebrity records in Hollywood hospitals: “In a spate of recent security lapses at hospitals, health insurers and the federal government, private information on hundreds of thousands of patients, ranging from Social Security numbers to fertility-treatment and cancer records, has been compromised.”

Security professionals in the health care industry need to keep on top of potential vulnerabilities in this field, but they also must be aware of changing privacy rules in the industry, largely driven by the provisions of the Health Insurance Portability and Accountability Act (HIPAA).

Sarah also provides some links that are useful in learning more about the law … and how all of us can better guard the guardians of our records:

Health Care Privacy Project
http://www.healthprivacy.org/
Detailed information on federal health-privacy laws

Patient Privacy Rights
http://www.patientprivacyrights.org/
Privacy toolkit that includes a form to request your medical records

Privacy Rights Clearing House
http://www.privacyrights.org/
Tips on identity theft and dealing with a security breach.

World Privacy Forum
http://www.worldprivacyforum.org/
Tips on medical identity theft

– Tom Goff