From the Editor: Privacy & Practicality
Several years ago, I discussed data security with an IT specialist at a defense contractor. He described the measures his company had taken to ensure that hardware and data stayed secure as technology advanced.
Several years ago, I discussed data security with an IT specialist at a defense contractor. He described the measures his company had taken to ensure that hardware and data stayed secure as technology advanced. These measures included: a ban on internet access on most computers, a tightly controlled supply of thumb drives and a sign-out sheet indicating who was using them and why. External drive ports and CD slots on most machines were disabled, and RF chips on portable equipment tracked their constant whereabouts. Even in the “good old days” of 2008, that seemed like a draconian approach.
I think about that conversation now when major hospital data breaches are reported, seemingly so often. Although the security scenario he described is not coming soon to a hospital near you, does this sound like the ideal system for your facility? Locking everything down might not be practical, but it’s tempting when you consider that laptop theft is the leading cause of Protected Health Information (PHI) breaches affecting more than 500 people, according to the Department of Health and Human Services.
In a recent study of federal breach data since August 2009 by security researcher Redspin adds more facts to the growing list of frightening numbers:
Most facilities, faced with negative publicity about a breach, are reluctant to speak about these incidents, but their stories are just as important as positive news about successful EMRs and HIEs—and maybe more so. It’s clear from the growing list of breaches that healthcare organizations of all stripes, as rich sources of personal information, will be targets.
Human factors are behind the solutions to data theft as well as its causes. At the University of Iowa Hospitals and Clinics, “we have a phenomenal compliance/privacy team that works really well with the IT group,” says Lee Carmen, CIO and associate vice president of IT. That teamwork has allowed the organization to develop “a really strong appreciation within the enterprise [privacy] regulations,” he says. It also was one of the keys to quickly finding and stopping a recent data breach. See “Access Denied: Avoiding Data Disasters” for more about protecting data when unplugging and disabling features won’t work.
Several years ago, I discussed data security with an IT specialist at a defense contractor. He described the measures his company had taken to ensure that hardware and data stayed secure as technology advanced. These measures included: a ban on internet access on most computers, a tightly controlled supply of thumb drives and a sign-out sheet indicating who was using them and why. External drive ports and CD slots on most machines were disabled, and RF chips on portable equipment tracked their constant whereabouts. Even in the “good old days” of 2008, that seemed like a draconian approach.
I think about that conversation now when major hospital data breaches are reported, seemingly so often. Although the security scenario he described is not coming soon to a hospital near you, does this sound like the ideal system for your facility? Locking everything down might not be practical, but it’s tempting when you consider that laptop theft is the leading cause of Protected Health Information (PHI) breaches affecting more than 500 people, according to the Department of Health and Human Services.
In a recent study of federal breach data since August 2009 by security researcher Redspin adds more facts to the growing list of frightening numbers:
- 43 states, plus Washington, D.C., and Puerto Rico, have suffered at least one breach.
- 65 percent of all records breached resulted from the theft of a laptop or other portable media device.
Most facilities, faced with negative publicity about a breach, are reluctant to speak about these incidents, but their stories are just as important as positive news about successful EMRs and HIEs—and maybe more so. It’s clear from the growing list of breaches that healthcare organizations of all stripes, as rich sources of personal information, will be targets.
Human factors are behind the solutions to data theft as well as its causes. At the University of Iowa Hospitals and Clinics, “we have a phenomenal compliance/privacy team that works really well with the IT group,” says Lee Carmen, CIO and associate vice president of IT. That teamwork has allowed the organization to develop “a really strong appreciation within the enterprise [privacy] regulations,” he says. It also was one of the keys to quickly finding and stopping a recent data breach. See “Access Denied: Avoiding Data Disasters” for more about protecting data when unplugging and disabling features won’t work.