Wednesday, March 20, 2013

The New England Journal Of Medicine Weighs In On Information Security In Health

This appeared a little while ago.

Protecting Patient Privacy and Data Security

Julie K. Taitsman, M.D., J.D., Christi Macrina Grimm, M.P.A., and Shantanu Agrawal, M.D.
N Engl J Med 2013; 368:977-979 March 14, 2013 DOI: 10.1056/NEJMp1215258
On December 4, 2012, two Australian radio DJs called London's King Edward VII's Hospital, identified themselves, in fake British accents, as Queen Elizabeth and Prince Charles, and asked about a celebrity patient who had been admitted for pregnancy complications. A nurse, filling in at the reception desk in the early morning hours, answered the phone and, without attempting to verify the callers' identities, transferred them to the duty nurse caring for the Duchess of Cambridge. The duty nurse then provided them with confidential patient information.1 The Australian DJs broadcast the phone call, considering it a humorous prank, but as the world knows, it had disastrous consequences.
How confident are U.S. hospitals, nursing homes, and physicians' offices that their staff would appropriately deny patient information to an unknown caller?
Too often, unauthorized people succeed in extracting protected information from health care providers. Invasion of privacy also affects noncelebrities, when anyone seeks health information the patient has not chosen to share. More often, though, scam artists seek patients' billing information for financial gain. The patient's insurance identifier is then used by an uninsured person to obtain medical services or by a fraudulent health care provider to bill for medical services that were never rendered. Data security breaches and medical identity theft are growing concerns, with thousands of cases reported each year. The Centers for Medicare and Medicaid Services (CMS) tracks nearly 300,000 compromised Medicare-beneficiary numbers.2 The Office for Civil Rights has received more than 77,000 complaints regarding breaches of health information privacy and completed more than 27,000 investigations, which have resulted in more than 18,000 corrective actions.3
The full article and references are found here:
Usefully they have provided a good summary of privacy and security safeguards. See here:
Additionally there is a useful set of steps to secure mobile devices.

Steps to Protect and Secure Information When Using Mobile Devices.*

·         Install and enable encryption
·         Use a password or other user authentication
·         Install and activate wiping, remote disabling, or both to erase data on lost or stolen devices
·         Disable and do not install or use file-sharing applications
·         Install and enable a firewall to block unauthorized access
·         Install and enable security software to protect against malicious applications, viruses, spyware, and malware-based attacks
·         Keep security software up to date
·         Research mobile applications before downloading
·         Maintain physical control of mobile devices
·         Use adequate security to send or receive health information over public Wi-Fi networks
·         Delete all stored health information on mobile devices before discarding the devices
  * Recommended by the Office of the National Coordinator for Health Information Technology.
All in all a good one for the reference files.


Paul Fitzgerald said...

Needs to be more than one for the reference files, David. There are serious penalties for failing to do these basic things in the event of a privacy breach. Then there is the remediation cost post a breach. Clinics/practices should consider insurance against cyber attacks and possible privacy/data breaches, along with ensuring the basics are covered.

InformaticsMD said...

Then there's this.

When the government wants your data, it can probably get it:

IRS faces class action lawsuit over theft of 60 million medical records

Anonymous said...

"Class Actions" will be a major concern for all healthcare providers into the future, bot the Privacy Commissioner.

Evidence of this is occurring all around the world, it won't be long before something occurs in Australia.

As Paul F mentioned, GP's, Clinics and Practices should take out cyber insurance to mitigate any risk of a data or privacy breach.

I am aware that a product will be released in the market for GP's in the next 10 days, that won't cost the earth and will cover all basic contingencies.

Terry Hannan said...

This topic has distinct relevance in my local hospital this week. Our corridors are polulated by DOHA staff wearing DOHA e-health T-shirts who confront people passing by with the request that "would they like to have their own "secure" electronci record. This is followed by "all you need to do is give us your Medicare Card and your Licence and we will set the record up for you." The initial data is 'transcribed by hand onto an clipboard then entered later on a portable device off site-after a given individual has signed the clipboard form containing their personal information.
When I asked one of the data collection person what they are doing she informed me they were registering the people for their SECURE medical record and that she understands it is secure because "she has been told it is secure"!!! An individual who signs up is then given a small pamphlet to take and read about the e-record.Personally I have a lot of difficulty with this data collection process-not only from patient data security but the real risk of transcription errors in the data recording. On straw polls in this institution ~0% of doctors know what a PCEHR is and for the rest of the staff I am sure the figure is not much more. This whole process seems like a political stunt to enhance the PCEHR registration numbers for a project that has been very costly and doomed to failure-implementation wise and politically.

Anonymous said...

Think you've nailed it Terry - a pretty cynical bid to boost registration numbers! It's also happening in some GP clinics, where people persuade you to sign up in the waiting room.

Who are these DoHA people - casual staff employed for the "campaign"?

Exactly what information are they collecting and what details are they entering later into the system?

And how many patients thus railroaded will actually go home and look up their record to see what's there, or otherwise make use of the record as intended?

Anonymous said...

Terry Hannan has highlighted a very disturbing activity which he describes as - a political stunt to enhance the PCEHR registration numbers.

It reeks of a blatant invasion of privacy. To waylay people inside the protected environment of the walls of a public hospital is sickening. Many people are just holding themselves together wrestling with illnesses and deep personal traumas.

To use the credibility and reputation of a trusted public hospital environment in this way is inexcusable. They should join the American Express sales people at the airport terminals if they want to use such enrollment techniques.

Handing out a simple explanatory flyer to people as they pass without interrupting their thoughts is probably still unacceptable in the protected confines of the hospital environment.

Good governance suggests that the Hospital Board should immediately instruct the Hospital Executive to terminate that activity without delay.

Anonymous said...

I say a PCEHR sign up team in the mall at Bondi junction last week, little desk, big signs. Clearly a broad push all over the place to get numbers up. What is the cost per sign up I wonder? Smells desperate to me.

Anonymous said...

Yes, there is a big push on...
At CHIK in Melbourne, apparently

Anonymous said...

How much (more) is being spent on this PCEHR activity and what funding bucket is this being sustained by?

+$1B and counting.

Paul Fitzgerald said...

How can accosting complete strangers in a hospital corridor/waiting area and taking their Medicare Number and Driver's Licence not be a breach of Privacy? This is enough to get a stolen ID up and running. Surely the Feds don't have an immunity to the Privacy Laws that we mere Plebs need to follow? And as someone else suggests, at what cost?

Anonymous said...

But they pretty much are immune...

the bill says: "While each jurisdiction will be legally bound by the arrangements set out, the Crown will not be liable for pecuniary penalties or subject to prosecution for offences. While the Crown cannot be liable to be prosecuted for an offence, or liable for a pecuniary penalty, this does not mean that all action against the Crown is precluded.

"If the Crown in any of its capacities does not comply with its obligations under this bill, other remedies are potentially available. For example, it may be subject to a declaration or injunction, investigated by the Information Commissioner under the Privacy Act, investigated by the Ombudsman, subject to Parliamentary scrutiny or subject to claims for breach of statutory duty.

"Further, while the Crown may have immunity in certain regards, the employees and contractors of the Crown will not necessarily have any such immunity. Finally, nothing in the Bill prevents an individual who suffers loss or damage from seeking to recover that loss or damage from the person who caused it."


Anonymous said...

Unbelievable - what will they stoop to next?

So just how "secure" is the data of the poor, sick individual who has been bullied into giving it to some bureaucratic types with clipboards in a hospital corridor?

What happens to it between the time it is captured on the clipboard and entered on a PC or iPad or whatever? Can't wait for the first time a clipboard full of personally identifiable information is stolen, lost, left in a taxi etc. How is Ms Halton going to explain that away?

Don't seem to remember this registration method being in any of the previous "design" briefs......