Thursday, September 01, 2011

Here Is A Key Reason For Privacy in EHRs to Be Taken Very Seriously. The Surrounding Security is Also Important!

This very useful report appeared a few days ago.

Workers staying silent on mental health, with bosses kept in the dark

THE stigma surrounding mental illness remains strong enough for nearly four in 10 sufferers to not disclose the condition to their employers.

And even for those who do, understanding and support from employers and managers is severely lacking, a study by Sane Australia reveals.

The Working Life and Mental Illness study, to be published today, which surveyed 520 people with a mental illness, finds the majority don't believe their manager understands mental illness and its impact in the workplace.

"Fewer than half of managers (43 per cent) were said to understand how it affected people in the workplace," the report says, with only 30 per cent of sufferers offered flexible working arrangements.

"Many people with a mental illness do not disclose their condition to employers, fearful they will lose their jobs, thus making it harder to access support. This also applies to employees who are caring for a family member with a mental illness."

Geelong bookkeeper Nicci Wall, 45, was diagnosed with bipolar disorder and obsessive compulsive tendencies 10 years ago, having suffered depression since her 20s. Ms Wall says her current employer's understanding and acceptance of her illness and preparedness to work around it is a win-win, as the flexible work hours allow them to get the best out of her.

More here:

http://www.theaustralian.com.au/news/health-science/workers-staying-silent-on-mental-health-with-bosses-kept-in-the-dark/story-e6frg8y6-1226121570551

The research bulletin on which the report is found here.

http://www.sane.org/images/stories/information/research/1108_info_rb14work.pdf

What is clear here is that there are a large number of people who suffer, or have suffered, some mental illness (and that is a major segment of the population) who do not have understanding employers and who fear stigmatisation and persecution - like job loss - of the information does not remain confidential.

Add this large group to those that have other illnesses of clinical history that may disadvantage and stigmatise and you are talking a very large number of people.

The ill-informed who label all such patients and more especially those who advocate on their behalf ‘privacy Nazi’s’ really miss the point. Any systems that fail to recognise these issues and make sure there are minimal issues will just fail.

Just how tricky it will be is shown here:

New Data Spill Shows Risk of Online Health Records

By JORDAN ROBERTSON (AP) on August 22, 2011

SAN FRANCISCO (AP) -- Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see.

There were insurance forms, Social Security numbers and doctors' notes. Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.

At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized.

Electronic records can lower costs, cut bureaucracy and ultimately save lives. The government is offering bonuses to early adopters and threatening penalties and cuts in payments to medical providers who refuse to change.

But there are not-so-hidden costs with modernization.

"When things go wrong, they can really go wrong," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. "Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link."

Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers' compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.

The personal data was discovered by Aaron Titus, a researcher with Identity Finder who then alerted Hecht's firm and The Associated Press. He found it through Internet searches, a common tactic for finding private information posted on unsecured sites.

Titus says Hecht's company failed to use two basic techniques that could have protected the data - requiring a password and instructing search engines not to index the pages. He called the breach "likely a case of felony stupidity."

Large-scale medical data breaches have been on the rise in recent years.

In one of the biggest, government health data was at risk in 2006 when a laptop with data on 26.5 million veterans was stolen from a government employee's home. The computer equipment was recovered, and the FBI said the sensitive files weren't accessed.

.....

This year, hard drives containing health histories, financial information and Social Security numbers of 1.9 million Health Net insurance customers disappeared from an office. State regulators launched investigations into Health Net's security procedures.

The California company declined to comment, saying the incident was still under investigation.

The latest incident is "an eye-opener, and we're going to get eye-opener after eye-opener," says Jim Dempsey, a security and public policy expert at the Center for Democracy & Technology.

As instances of data mishandling become more commonplace, government officials may seek greater control over security policies of companies with access to health care records that aren't currently regulated.

"It should be yet another warning bell for companies: You've got your reputation on the line, and you're also facing enforcement action if you don't pay attention to the security of the data you collect and process," Dempsey says.

The full article is here:

http://techland.time.com/2011/08/22/new-data-spill-shows-risk-of-online-health-records/

There are also issues being raised in managing records in the cloud.

EHR Data In Cloud Needs Strong Security Trail

Presenters at a recent Legal EHR Summit warn healthcare providers to press their vendors for clear answers on security.

By Neil Versel, InformationWeek

August 22, 2011

With healthcare's unique information security requirements, the growth of cloud-based electronic health records (EHRs) is raising a number of new issues regarding data stewardship and organizational responsibility.

According to Gerard Nussbaum, director of technology services at management consultancy Kurt Salmon Associates, the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules do not specify whether a provider using a cloud-based EHR owns data in the medical records or if the information belongs to the service host. Speaking last week at the American Health Information Management Association (AHIMA) Legal EHR Summit in Chicago, Nussbaum recommended that healthcare providers explicitly negotiate data usage in contracts, particularly in case of a breach.

"Nothing is secure from breaches," noted Nussbaum, an attorney. Knowing this, he said it's best to "iron out up front" what each party's legal responsibility is in the event of a breach, such as who must notify individuals whose data may have been compromised.

Health information management consultant Sandra Nunn, who participated in a panel discussion on managing health information in the cloud, said she wants her clients to reach a clear understanding with their vendors about whether information will be sequestered in the cloud if there is a breach and whether there will be an easily accessible audit trail.

"Having multiple cloud vendors can complicate your situation," Nunn said. She surmised that it might be a good idea for providers to ask their vendors once or twice a year to create an audit log just to make sure it's possible.

Lots more here:

http://www.informationweek.com/news/healthcare/security-privacy/231500467

Additionally and quite surprisingly it seems some medical devices might also be at risk.

Hacked Medical Device Sparks Congressional Inquiry

Legislators demand answers after a security researcher remotely controlled his own insulin pump using a $20 radio frequency transmitter at Black Hat.

By Mathew J. Schwartz, InformationWeek

August 23, 2011

Two members of Congress have asked the Government Accountability Office (GAO) to review the Federal Communications Commission's approach to medical devices with wireless capabilities to ensure that the devices are "safe, reliable, and secure."

The letter to the GAO, from Reps. Anna G. Eshoo (D-Calif.) and Edward J. Markey (D-Mass.)--both members of the House communications and technology subcommittee--was sparked by a medical device hacking demonstration earlier this month at the Black Hat conference in Las Vegas.

While most Black Hat presentations typically detail exploits launched against others or more benign forms of hardware hacking, security researcher Jerome Radcliffe actually hacked--live and onstage--his own insulin pump, which he relies on to subcutaneously administer multiple doses of insulin per day. Radcliffe, 33, said he was diagnosed with diabetes at age 22.

Next came the medical device hardware hacking. Specifically, Radcliffe reverse-engineered the wireless commands sent from the small controller that ships with his pump, and which is used to tell the pump what dosage of insulin to administer. After decoding the communications protocol, Radcliffe was able to program a small radio frequency (RF) transmitter--easily available for $100 new, or $20 for a used one on eBay--to remotely control his insulin pump. In his demonstration, Radcliffe showed how he could use the remote transmitter both to administer arbitrary insulin doses, as well as to disable the pump.

Many more details here:

http://www.informationweek.com/news/security/vulnerabilities/231500548

There is no reason to be in any way alarmist about any of this but the messages are clear. First there are many consumers who will need a lot of reassurance about electronic health records. Second that, despite the best efforts, there will be occasional security leaks. These need to be anticipated and managed effectively to minimise possible damage to EHR use. Third we really do need to have a careful planned approach to EHR protection that is continually reviewed and updated.

As a last comment we do need to ensure there is proper disclosure of all significant breaches so that lessons are leant quickly and repeat leaks are prevented.

A large issue indeed!

David.

No comments: