This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
While we may argue the dental status of HIPAA ("HIPAA-ocricy," December 2006), good security practices in a health care environment equate to good business practices.
Yes, HIPAA can be overbearing, but
To have a chief physician boast that his doctors don't believe in password security, that one doctor logs in for all the others, is unbelievable in this litigious society. Without password security, anybody who has access to the computer workstation--doctor, nurse, housekeeper or visitor--has the ability to change patient information in a medical chart without detection or tracking.
This does not make for good medicine nor good business. What happens when an untoward medical outcome brings an investigation? Are you going to take the witness stand and say: "It might be my diagnosis, but maybe someone changed it. Someone might have altered the meds, I don't know. I cannot vouch for this medical record which has my signature."
It may be human nature to rebel against strong password policies, but some sort of access control has to be used to prevent unauthorized access. Sloppy HIPAA compliance probably means sloppy security all around.
What other corporate data besides patient information is readily available to prying eyes? I hope my doctor doesn't work this way--nor my bank, nor my DMV.
Information Security Liaison,
Kingsboro Psychiatric Center, Brooklyn, NY
There really are two holes in HIPAA: the lack of incentives--pro or con--to comply, and the lack of a plausible minimal technical standard for hardened networks. But, I would like to talk about the part of HIPAA that works.
Your doctors are telling you the blunt truth and that is a healthy thing. Medical professionals swim in risk like fish; they can smell an under-baked risk profile a mile a way. Further, they may even QA your risk case by deliberate defiance, just to see what happens in a low-risk situation. Meeting your medical professionals where they live can cut off useless measures and inspire effective action.
Suggestions for the first hole:
- Make the connection between patient privacy and data security. Most medical records are also useful for identity theft against their patients. More laws than HIPAA are in play here.
- Make the connection between public service and fault tolerance. Robust information system designs enable them to provide medical help--rain or shine.
- Make the connection between liability control and computer forensics. Unique IDs and traceable data events can provide defensive court records.
- Make the connection between preventative health and data security reviews of new medical systems. Medical professionals know about the payoff of prevention.
- No one has yet defined the HIPAA equivalent of the credit card industry standards for hardened data systems.
- The acceptable risk profile of doctors is much higher than data privacy normally can tolerate.
- The subcontractor status of doctors makes the fluid flow of data in PDAs a network with a mobile perimeter. The doctor-in-Starbucks scenario is very challenging.
But, for now, it must be understood that data security risks fit more into business risk than medical risk. And doctors sometimes will accept bankruptcy as secondary to the noble cause of saving lives.
Send your e-mails to firstname.lastname@example.org.
This was first published in February 2007