InformaticsMD on NPR Affiliate KNPR regarding electronic medical record privacy: St. Rose hospital group used patient information to solicit patient lobbying?

<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">Radio station <b><a href="http://www.knpr.org/">News 88.9 KNPR</a></b>, the NPR affiliate in Las Vegas</span><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"> did </span><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">a segment today on the following news story.  The station's Senior Producer had invited me to participate via phone regarding patient privacy issues.</span><br /><div class="MsoNormal"><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">Emphases mine: </span></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"> </span></div><blockquote class="tr_bq"><div class="MsoNormal"><a href="http://www.reviewjournal.com/news/federal-complaint-alleges-st-rose-hospitals-violated-patient-privacy"><span style="font-family: "Arial","sans-serif"; font-size: small;">http://www.reviewjournal.com/news/federal-complaint-alleges-st-rose-hospitals-violated-patient-privacy</span></a><br /><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">February 10, 2014 - Updated  February 11, 2014 <br /><b>Federal complaint alleges St. Rose Hospitals violated patient privacy</b><br /><br />By STEVEN SLIVKA<br />LAS VEGAS REVIEW-JOURNAL<br /><br />Dignity Health, the owner of St. Rose Dominican Hospitals, is f<b>acing a federal complaint alleging it violated patient privacy by using patient records as leverage in a contract dispute.</b><br />According to a Monday announcement from the Nevada Health Services Coalition, Dignity Health <i><b>used patient records to contact those with coalition member plans after agreements between the two agencies fell through in January</b></i>, something it contends violates the Health Insurance Portability and Accountability Act, or HIPAA. The complaint was filed with the U.S. Department of Health and Human Services Office of Civil Rights.<br /><br />The complaint contends <i><b>St. Rose contacted former patients in an attempt to persuade them to take action with their health plans favorable to St. Rose. </b></i>The complaint also said that St. Rose claimed their actions were simply to be “informative.”<br /><br />“It’s our position that patient data collected in the course of medical treatment should not be used to lobby or gain leverage in contract negotiations,” said Christine Carafelli, executive director of the coalition.<br /><br />The Nevada Health Services Coalition is a nonprofit entity that negotiates hospital contracts for discounted health care service rates for 19 member group organizations, totaling approximately 230,000 Nevada residents.<br /><br />A spokesperson for St. Rose said they would issue a statement on Tuesday.  </span></div></blockquote><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">The segment has now completed.  It was hosted by Dave Becker of KNPR.</span></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">A representative of the <b>Health Services Coalition</b> (<a href="http://www.lvhsc.org/">http://www.lvhsc.org/</a>), a local organization of union, casino and local government health funds who bargain together for maximum leverage, participated, as did a hospital VP. </span><br /><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">The coalition is accusing the St. Rose hospital group (a division of Dignity Health) <i><b>of using patient records to contact patients to urge them to lobby for the hospital in contract negotiations.</b></i></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">I was asked for an opinion on the acceptability of access to patient information in an organization's EHR systems (including PHI such as name, address and other contact information) for purposes of soliciting the patients to lobby the insurers on behalf of the healthcare organization for better terms.</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">My opinion was clear, which I summarize as follows:</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">1.  Hospitals do not "own" patient data to use as they please.  Is is not a simple business asset, like typewriters - or computers.  Any belief that a hospital can treat patient records as such, to be used as they pleased, would reflect arrogance;</span><br /><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">2.  The HIPAA privacy rule and its exceptions (viewable at <a href="http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/">http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/</a>, section under "</span><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"><b>Permitted Uses and Disclosures</b>") would preclude the use of patient's private and protected information in an EHR for selective solicitation for lobbying on behalf of the hospital;</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">3.  Who accessed the patient information, and exactly what they accessed, is not clear, and an electronic audit trail needs to be disclosed as to these issues;</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">4.  Harm could potentially come to patients if someone who accessed the information, who otherwise </span><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">might not have</span>, used it to advantage for other purposes.  This includes, for example, uses outside of the medical sphere (e.g., personal use by, say, a neighbor or competitor).  I am aware of cases of such abuse, as is HHS and so are hospitals (see my blog query links on medical record privacy and confidentiality at <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality">http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality</a> and <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy">http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy</a>); and:</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">5.  The hospital could have accomplished such goals transparently, safely, and without access to private health information, by putting an ad on the radio (or newspaper etc.), or mailing a general newsletter such as I often receive from area hospitals, even hospitals where I was never a patient.</span></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"><br /></span></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">A hospital VP contributed soothing words that the hospital respects patient privacy, trusts its employees and doesn't wish this matter to become a stumbling block in negotiations.  However, in my opinion the hospital violated the HIPAA privacy rules and potentially put patient privacy at risk. </span><br /><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">No amount of soothing, deflecting executive language and shifting of the discussion can change that, and a full disclosure accounting would be proper.  </span><br /><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">(I note the HIPAA privacy rules do <b>not</b> state "<i>For informational purposes only.  Use patient information however you want if you trust your employees and you think the risk is low..</i>")</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">That is, assuming an audit trail of sufficient detail is recorded in their EHRs, assuming it is turned on, and assuming it can be trusted in light of the HHS OIG report of Dec. 2013 where many hospitals admitted EHR audit trails can be deleted or edited by a person with appropriate credentials.  (See my Dec. 10, 2013 post <b>"</b></span><b>44% of hospitals reported to HHS that they can delete the contents of their EHR audit logs whenever they'd like" </b>at <a href="http://hcrenewal.blogspot.com/2013/12/44-of-hospitals-reported-to-oig-that.html">http://hcrenewal.blogspot.com/2013/12/44-of-hospitals-reported-to-oig-that.html</a><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">).</span></div><div class="MsoNormal"><br />The segment audio is online here: <a href="http://www.knpr.org/son/archive/detail2.cfm?SegmentID=10939">http://www.knpr.org/son/archive/detail2.cfm?SegmentID=10939</a><br /><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">-- SS </span><br /><b><br /></b><b><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">Feb. 14, 2014 Addendum:</span></b><br /><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">A thought experiment demonstrates just how far from propriety, in my opinion, this affair is:</span><br /><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">If a hospital can use confidential information in this manner, to enlist patients as de facto lobbyists regarding an insurer, then why could not a hospital use other data - e.g., patients' disease burden, smoking status or even sexual orientation to ask them to lobby, say, a politician to gain some advantage, such as certificate-of-need approval for expansion, or anti-competitive legislation?  Or, to ask patients to participate in political activities for/against some politician or group that might hold views or conduct activities favorable/unfavorable to the hospital's interests?</span><br /><br /><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">-- SS </span></div><div class="MsoNormal"><span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"><br /></span></div>

InformaticsMD on NPR Affiliate KNPR regarding electronic medical record privacy: St. Rose hospital group used patient information to solicit patient lobbying?

Radio station News 88.9 KNPR, the NPR affiliate in Las Vegas did a segment today on the following news story.  The station's Senior Producer had invited me to participate via phone regarding patient p…

Đọc thêm »

Another Reason to Put Everyone's Confidental Medical Information Into Today's Massively Secure (Surely They Are, No?) EHR systems

Office of Inspector General<br />Department of the Treasury <br />Oct. 17, 2013<br /><br />Audit report <br /><br /><b>INFORMATION TECHNOLOGY: OCC's (Office of the Comptroller of the Currency) Network and Systems Security Controls Were Deficient</b><br /><br />PDF available at: <a href="http://www.treasury.gov/about/organizational-structure/ig/Audit%20Reports%20and%20Testimonies/OIG-14-001.pdf">http://www.treasury.gov/about/organizational-structure/ig/Audit%20Reports%20and%20Testimonies/OIG-14-001.pdf</a> <br /><br />Highlights:<br /><br /><blockquote class="tr_bq">... To accomplish our objective, we performed a series of internal and external vulnerability assessments and penetration tests on OCC’s workstations, servers, network-attached peripherals (such as cameras and printers), infrastructure devices, and Internet websites.<br /><br />... We determined that OCC’s security measures were<b> not sufficient to fully prevent and detect unauthorized access into its network and systems by internal threats,or external threats that gained an internal foothold.</b> Also, OCC’s security measures were not adequate <b>to fully protect personally identifiable information (PII) from Internet-based threats. </b><br /><br />We found that default factory-preset administrative usernames and passwords were present in OCC’s systems. In one test we conducted, we discovered a default username and password of an internal service account on an OCC server which had local administrator privileges. We used those privileges and deployed our penetration test tool’s agents to the host server. That server contained password hashes for local and domain administrator accounts. Using these hashes, <b>we obtained a domain administrator’s password, which we then used to log on to the network domain controller. With full access given to a typical domain administrative account, we created a domain administrator account and thereby had full control of OCC’s network.</b><br /><br />... In accordance with our Rules of Engagement, we did not attempt to perform actions that would disrupt OCC’s operations, such as deleting data, powering off servers or other resources, locking out accounts, and similar activities, any of which could have resulted in interruption or shutdown of devices or services. However, malicious attackers would have no such restrictions against performing these actions<br /><br />... Because systems and devices connected to OCC’s internal network could freely communicate between one another, with very little internal partitioning, <b>we successfully attacked multiple OCC systems in a very short amount of time from a single workstation. </b></blockquote><br />I offer no additional comments other than, if Treasury's IT security is this lax, just imagine how secure your health information is, sitting on servers at Podunk Hollow General Hospital. <br /><br />-- SS

Another Reason to Put Everyone's Confidental Medical Information Into Today's Massively Secure (Surely They Are, No?) EHR systems

Office of Inspector GeneralDepartment of the Treasury Oct. 17, 2013Audit report INFORMATION TECHNOLOGY: OCC's (Office of the Comptroller of the Currency) Network and Systems Security Controls Were Def…

Đọc thêm »

But Don't Worry, Your Health Information is Secure: the Enforcers are Themselves Incompetent and Broke

Another in my <b>"But Don't Worry, Your Health Information is Secure"</b> series (see <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy">http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy</a>) ... a promise blindly made by the healthcare information technology hyper-enthusiasts<span style="color: #1f497d;">.</span><br /><br /><blockquote class="tr_bq"><span style="color: #1f497d;">The Office of the Inspector General for HHS just issued a report finding that the Office of Civil Rights (OCR), <i>which is charged with enforcing the HIPAA/HITECH law</i>, had itself failed to adequately protect the security of the health information it handled. Specifically OIG found that OCR “focused on system operability to the detriment of system and data security.”</span></blockquote><br /><span style="color: #1f497d;">From <b>“The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule”</b>, p. ii (Nov. 2013).  <a href="http://oig.hhs.gov/oas/reports/region4/41105025.asp">http://oig.hhs.gov/oas/reports/region4/41105025.asp</a></span><a href="https://exchangeweb.drexel.edu/owa/redir.aspx?C=cnmQxxd1ok6fZ7r1yAFMffFwO7p2yNAIzU9ZEphzhXivZep_Icu-CQf-7PEVpCAa1XTvDnjs5d4.&URL=http%3a%2f%2foig.hhs.gov%2foas%2freports%2fregion4%2f41105025.asp" style="color: purple;" target="_blank"></a><br /><br /><div class="line">Summary:</div><div class="line"><br /></div><blockquote class="tr_bq">The Office for Civil Rights (OCR) did not meet certain Federal requirements critical to the oversight and enforcement of the Health Insurance Portability and Accountability Act Security Rule (Security Rule). <b>OCR had not assessed risks, established priorities, or implemented controls for its Federal requirements to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. </b>In addition, OCR's Security Rule investigation files did not contain required documentation supporting key decisions made <b>because management had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing, and closing Security Rule investigations.</b> Further, OCR had not fully complied with Federal cybersecurity requirements for its information systems used to process and store investigation data because it focused on system operability <span style="color: red;"><i><b>[I presume they mean 'interoperability' - ed.]</b></i></span> to the detriment of system and data security.<br /><br />We recommended that OCR (1) assess the risks, establish priorities, and implement controls for its HITECH auditing requirements; (2) provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities; (3) implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and (4) implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule. In its comments on our draft report, OCR generally concurred with our recommendations and described the actions it has taken to address them. In specific comments on our second recommendation, however, <b>OCR explained that no funds had been appropriated for it to maintain a permanent audit program and that funds used to support audit activities previously conducted were no longer available.</b></blockquote><br />The enforcers are themselves negligent, incompetent and broke.  And hospitals are expected to keep electronic protected health information secure? <br /><br />I comment no further.  What more could I possibly write?<br /><br />-- SS<br /><br /><b>Dec. 9, 2013 Addendum:</b><br /><br />This woman would probably agree that this is a problem<br /><br /><blockquote class="tr_bq">Dec. 9, 2013<br /><a href="http://www.thestar.com/news/gta/2013/11/28/disabled_woman_denied_entry_to_us_after_agent_cites_supposedly_private_medical_details.html">http://www.thestar.com/news/gta/2013/11/28/disabled_woman_denied_entry_to_us_after_agent_cites_supposedly_private_medical_details.html </a><br /><br /><b>Disabled woman denied entry to U.S. after agent cites supposedly private medical details</b><br /><br />A Toronto woman is shocked after she was denied entry into the U.S. because she had been hospitalized for clinical depression.<br /><br />Ellen Richardson went to Pearson airport on Monday full of joy about flying to New York City and from there going on a 10-day Caribbean cruise for which she’d paid about $6,000.<br /><br />But a U.S. Customs and Border Protection agent with the Department of Homeland Security killed that dream when he denied her entry.<br /><br />“I was turned away, I was told, because I had a hospitalization in the summer of 2012 for clinical depression,’’ said Richardson, who is a paraplegic and set up her cruise in collaboration with a March of Dimes group of about 12 others.<br /><br />The Weston woman was told by the U.S. agent she would have to get “medical clearance’’ and be examined by one of only three doctors in Toronto whose assessments are accepted by Homeland Security. She was given their names and told a call to her psychiatrist “would not suffice.’’<br /><br />At the time, Richardson said, she was so shocked and devastated by what was going on, she wasn’t thinking about how U.S. authorities could access her supposedly private medical information.<br /><br />“I was so aghast. I was saying, ‘I don’t understand this. What is the problem?’ I was so looking forward to getting away . . . I’d even brought a little string of Christmas lights I was going to string up in the cabin. . . . It’s not like I can just book again right away,’’ she said, referring to the time and planning that goes into taking a trip as a disabled person.<br /><br />Richardson said she’d had no discussion whatsoever with the agent at the airport about her medical history or background. </blockquote><br />Read the whole thing.<br /><br />-- SS

But Don't Worry, Your Health Information is Secure: the Enforcers are Themselves Incompetent and Broke

Another in my "But Don't Worry, Your Health Information is Secure" series (see http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy) ... a promise blindly made by the healthcare infor…

Đọc thêm »

N.S.A. Able to Foil Basic Safeguards of Privacy on Web, Including Medical Records - Yet Another Reason To Be Concerned About What You Tell Your Physician

There's already a major issue with privacy and protection of medical records in electronic form.  See the multiple blog posts at this query link:  <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy">http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy</a><br /><br />Now this from the New York Times:<br /><br /><blockquote class="tr_bq"><a href="http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all&_r=1&">N.S.A. Able to Foil Basic Safeguards of Privacy on Web</a><br />By NICOLE PERLROTH, JEFF LARSON and SCOTT SHANE<br />September 5, 2013<br /><br />The <a class="meta-org" href="http://topics.nytimes.com/top/reference/timestopics/organizations/n/national_security_agency/index.html?inline=nyt-org" title="More articles about National Security Agency, U.S.">National Security Agency</a> is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.<br /><br />The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, <b>protects sensitive data like trade secrets and medical records</b>, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.  </blockquote><br />But don't worry, your electronic medical records are secure, and will NEVER be used for political purposes by your adversaries...<br /><br /><blockquote class="tr_bq"><div itemprop="articleBody">Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth. </div><div itemprop="articleBody"><br /></div><div itemprop="articleBody">The agency, according to the documents and interviews with industry officials,<b> deployed custom-built, superfast computers to break codes</b>, and began<b> collaborating with technology companies in the United States and abroad to build entry points into their products. </b>The documents do not identify which companies have participated. </div></blockquote><br />At least we may have gotten faster PC's as a side result of the research that supported these efforts.<br /><br /><blockquote class="tr_bq">... the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.<br /><br />Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including <a href="https://www.globalsign.com/ssl-information-center/what-is-ssl.html" title="More about SSL">Secure Sockets Layer</a>, or SSL; <a href="http://gadgetwise.blogs.nytimes.com/2011/05/17/vpn-for-the-masses/" title="More about VPN">virtual private networks</a>, or VPNs; and the protection used on fourth-generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network.  </blockquote><br />Might as well just send them a copy of all your communications to spare them the effort...<br /><br /><blockquote class="tr_bq">... Ladar Levison, the founder of Lavabit, wrote <a href="http://lavabit.com/">a public letter</a> to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote,<b> “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.” </b> </blockquote><br />Hey, how about let's ALL have our medical records stored by health IT companies providing ASP (<span dir="auto">Application service provider, <a href="http://en.wikipedia.org/wiki/Application_service_provider">http://en.wikipedia.org/wiki/Application_service_provider</a>) offsite EHR hosting </span>services to hospitals and clinics...<br /><br />From the site "techdirt.com":<br /><br /><blockquote class="tr_bq">Allegedly <a href="http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security" target="_blank">the NSA and GCHQ (<span class="st">UK Government Communications Headquarters)</span> have basically gotten backdoors into various key security offerings used online</a>, in part by controlling the standards efforts, and in part by sometimes <i>covertly</i> introducing security vulnerabilities into various products. They haven't "cracked" encryption standards, but rather just found a different way in. The full report is worth reading ... (<a href="http://www.techdirt.com/articles/20130905/12295324417/nsa-gchq-covertly-took-over-security-standards-recruited-telco-employees-to-insert-backdoors.shtml">http://www.techdirt.com/articles/20130905/12295324417/nsa-gchq-covertly-took-over-security-standards-recruited-telco-employees-to-insert-backdoors.shtml</a>).</blockquote><br />Half facetiously: unless you're a real nobody, if you, say, contracted V.D. from that sexy prostitute at that Vegas Convention, you perhaps better not tell your doctor about it.<br /><br />Maybe this is what it will take to get the government to start taking electronic medical record privacy, confidentiality and security more seriously.<br /><br />Our legislators, like everyone else, have a stake in the game.<br /><br />-- SS<br /><br /><br />

N.S.A. Able to Foil Basic Safeguards of Privacy on Web, Including Medical Records - Yet Another Reason To Be Concerned About What You Tell Your Physician

There's already a major issue with privacy and protection of medical records in electronic form.  See the multiple blog posts at this query link:  http://hcrenewal.blogspot.com/search/label/medical%20…

Đọc thêm »

Calling Dr. Moe, Dr. Larry and Dr. Curly: Advocate Medical Breach of Four Million Patient Records, and No Encryption

At my Oct. 2011 post "<b>Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure</b>" (<a href="http://hcrenewal.blogspot.com/2011/10/still-more-ehr-chaos-pandemonium-bedlam.html">http://hcrenewal.blogspot.com/2011/10/still-more-ehr-chaos-pandemonium-bedlam.html</a>) I thought I'd seen the worst.<br /><br />Yet another post to add to the category of medical record privacy/confidentiality/security (<a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy">http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy),</a> however:<br /><br /><blockquote class="tr_bq"><a href="http://www.healthcareinfosecurity.com/advocate-medical-breach-no-encryption-a-6021">Advocate Medical Breach: No Encryption?</a><br />Computer Theft Raises Questions About Unencrypted Devices<br />By Marianne Kolbasuk McGee, August 27, 2013.<span class="date"></span><br /><br />The recent theft of <b>four unencrypted desktop computers </b>from a Chicago area physician group practice may result in the second biggest healthcare <a href="http://www.healthcareinfosecurity.com/breach-response-c-324"><b>breach</b></a> ever reported to federal regulators. But the bigger issue is: Why do breaches involving unencrypted computer devices still occur?<br /><br />According to the Department of Health and Human Services' "wall of shame" website listing 646 breaches impacting 500 or more individuals since September 2009, more than half of the incidents involved lost or stolen unencrypted devices. Incidents involving data secured by encryption do not have to be reported to HHS.<br /><br />... The <b>four unencrypted but password-protected computers <span style="color: red;"><i>[passwords on PC's are bypassable by smart teenagers - ed.]</i></span> stolen during a burglary in July from an office of <a href="http://www.healthcareinfosecurity.com/breach-may-affect-4-million-patients-a-6018">Advocate Medical Group</a> in Illinois may have exposed information of about 4 million patients,</b> according to an Advocate spokesman. </blockquote><br />4 million is about 1.3 percent of the entire U.S. population (about <a href="https://www.google.com/search?q=us%20population">313.9 million</a> in 2012) ... on just four desktop computers.<br /><br />Try that with paper ...<br /><br />As to the subtitle of the article, "<b>Computer Theft Raises Questions About Unencrypted Devices</b>", I've written on that issue before.  I'd noted questions like that are remarkable considering both MacOS and Windows have built-in, readily available encryption, the latter for a few extra $ for the "deluxe version" (see <span data-ft="{"tn":"K"}" data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[0]"> </span><a class="" data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[1]" href="http://en.wikipedia.org/wiki/FileVault" rel="nofollow" target="_blank">http://en.wikipedia.org/wiki/FileVault</a><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[2]"> and </span><a class="" data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[3]" href="http://en.wikipedia.org/wiki/Bitlocker" rel="nofollow" target="_blank">http://en.wikipedia.org/wiki/Bitlocker</a><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[4]">).  </span></span></span><br /><br /><span data-ft="{"tn":"K"}" data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[4]">Perhaps the best explanation in 2013 for unencrypted desktop PC's containing millions of confidential medical records is this picture, symbolic of the apparent attitudes of corporate and IT management on health IT security:</span></span></span><br /><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnAsw6PW67gX6YJJIVtd1hEp5nCpuf5Re_XG0rDd2AJELzlw8B5pV9bvBxHPXa6DhmesPxvPoc8c_n3Y3u2s3Ki1GxEUgZ_jzbex53lu7i4-pc6eS4SKXr6axDPCCVSmKPpHg_UAPThsnN/s1600/stooges+police300px.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnAsw6PW67gX6YJJIVtd1hEp5nCpuf5Re_XG0rDd2AJELzlw8B5pV9bvBxHPXa6DhmesPxvPoc8c_n3Y3u2s3Ki1GxEUgZ_jzbex53lu7i4-pc6eS4SKXr6axDPCCVSmKPpHg_UAPThsnN/s1600/stooges+police300px.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span data-ft="{"tn":"K"}" data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[4]">Encryption?  We don't need no encryption.  We got triple protection already!</span></span></span></td></tr></tbody></table><span data-ft="{"tn":"K"}" data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[4]"><br /></span></span></span><span data-ft="{"tn":"K"}" data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[4]"><br /></span></span></span><span data-ft="{"tn":"K"}" data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[4]">-- SS</span></span></span><br /><span data-ft="{"tn":"K"}" data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0]"><span data-reactid=".r[2a5gp].[1][4][1]{comment10200246430313520_4728545}.[0].{right}.[0].{left}.[0].[0].[0][2].[0].[4]"><br /></span></span></span>

Calling Dr. Moe, Dr. Larry and Dr. Curly: Advocate Medical Breach of Four Million Patient Records, and No Encryption

At my Oct. 2011 post "Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure" (http://hcrenewal.blogspot.com/2011/10/still-more-ehr-…

Đọc thêm »

Kim Kardashian, Meet Electronic Medical Records

In yet another example of breach of medical record privacy (<a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy">http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy</a>), Kim Kardashian's privacy on the birth of her daughter, as well as the privacy of <span id="articleText">more than a dozen other patients, was violated between June 18 and June 24:</span><br /><span id="articleText"> </span><span id="articleText"> </span><br /><blockquote class="tr_bq"><span id="articleText"></span><span id="articleText"></span><span id="articleText"><a href="http://www.reuters.com/article/2013/07/14/entertainment-us-usa-hospital-privacy-idUSBRE96D00520130714">Workers fired in privacy breach at L.A. hospital popular with stars</a></span><br /><span id="articleText"><br />LOS ANGELES | Sat Jul 13, 2013<br /><br />(Reuters) - Five medical workers have been fired over a patient data breach at Cedars-Sinai Medical Center, the Los Angeles facility said in a statement, while celebrity website TMZ reported on Saturday<b> that the hacking effort targeted reality star Kim Kardashian.</b><br />Cedars-Sinai, a favorite destination for celebrities seeking medical care, said in the statement it has a <b>"high standard for security"</b> and "in this case that standard was violated."  <span style="color: red;"><i><b>[How do ordinary hospital workers, medical assistants, and even a volunteer as below violate a "high standard for security", I wonder? - ed.] </b></i></span><br /><br />Kardashian, the star of the reality television show "Keeping Up With the Kardashians," gave birth on June 15 at Cedars-Sinai to daughter North West, whose father is Grammy-winning rap star Kanye West.<br /><br />Cedars-Sinai officials declined to say whose privacy had been breached, but the hospital said it "informed the affected patients" and apologized to them.<br /><b><br />The breach of 14 patient records occurred between June 18 and June 24, the hospital statement said.</b><br /><br />TMZ reported that Kardashian checked out of Cedars-Sinai about a week after she gave birth and was contacted by the hospital and told she was one of the patients whose records were accessed.<br /><br />TMZ, which cited unnamed sources, <b>said Kardashian's family suspected a leak of information at Cedars-Sinai after media reports disclosed details Kardashian had not revealed to anyone.</b><br /><br />Representatives for Kardashian did not return calls or emails seeking comment on Saturday.<br /><br />The Cedars-Sinai statement said <b>four of the workers who inappropriately logged onto the hospital's information system to access patient records were employees of local physicians with staff privileges at the hospital.</b><br /><br /><b>The other workers were a medical assistant employed by the Cedars-Sinai Medical Care Foundation and a student research assistant who was a volunteer</b>, the hospital said. As a result of the privacy breach, the five medical workers with ties to Cedars-Sinai were fired and the volunteer barred from working there, it said.<br /><br />Cedars-Sinai said that while it had no indication "any criminal acts were committed by the individuals" it was reaching out to law enforcement agencies in "an abundance of caution."</span></blockquote><br />It looks like the "high standard for security" needs some work. <br /><br />(A paper chart could have been sequestered, of course, not permitting its access by riff raff, but then there would not be all the tremendous advantages of today's commercial EHRs such as detailed at <a href="http://hcrenewal.blogspot.com/2013/07/rns-say-sutters-new-electronic-system.html">http://hcrenewal.blogspot.com/2013/07/rns-say-sutters-new-electronic-system.html</a>.)<br /><br />-- SS <br /><blockquote class="tr_bq"></blockquote>

Kim Kardashian, Meet Electronic Medical Records

In yet another example of breach of medical record privacy (http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy), Kim Kardashian's privacy on the birth of her daughter, as well as th…

Đọc thêm »

IRS faces class action lawsuit over theft of 60 million medical records

Try this with paper records.  This is spectacular (as in, spectacularly alarming) if true:<br /><br /><blockquote class="tr_bq"><a href="http://www.healthcareitnews.com/news/irs-face-lawsuit-over-theft-60-million-patient-health-records?topic=08%2C18" target="_blank">IRS faces class action lawsuit over theft of 60 million medical records</a><br /><br />The Internal Revenue Services is now facing a class action lawsuit over allegations that it improperly accessed and stole the health records of some 10 million Americans, including medical records of all California state judges.<br /><br />According to a <a href="http://www.courthousenews.com/2013/03/14/55707.htm">report</a> by Courthousenews.com, an unnamed HIPAA-covered entity in California is suing the IRS, alleging that some<b> 60 million medical records from 10 million patients were stolen by 15 IRS agents</b>. The personal health information seized on March 11, 2011, included psychological counseling, gynecological counseling, sexual/drug treatment and other medical treatment data.<br /><br />"This is an action involving the corruption and abuse of power by several Internal Revenue Service agents," the complaint reads. "No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records," it continued.   According to the case, the IRS agents had a search warrant for financial data pertaining to a former employee of the John Doe company, however, "it did not authorize any seizure of any healthcare or medical record of any persons, least of all third parties completely unrelated to the matter," the complaint read.<br /><br />The class action lawsuit against the IRS seeks $25,000 in compensatory damages "per violation per individual" in addition to punitive damages for constitutional violations.  Thus, compensatory damages could start at a minimum of $250 billion.</blockquote><br />According to the linked Courthousenews.com piece, the class is represented by attorney Robert E. Barnes of Malibu, California.   The Complaint is reported to state that the IRS' data theft was so enormous it affects "roughly one out of every twenty-five adult American citizens."<br /><br />If a government agency decides to steal medical records, I'd rather the records be on paper than electronic. I think it's inarguable that it is a lot harder for 15 people to haul 60,000,000 paper charts away than a few hard disks.<br /><br />Mass theft of records must be factored into the risk/benefit ratio of electronic health records.  See other posts on this topic at the label index terms below.<br /><br /><b>Addendum: </b> the Complaint is <a href="http://www.phiprivacy.net/wp-content/uploads/37-2013-00038750-CU-CR-CTL_roa1_03-11-13_.pdf" target="_blank">here</a> (PDF). <br /><br />-- SS

IRS faces class action lawsuit over theft of 60 million medical records

Try this with paper records.  This is spectacular (as in, spectacularly alarming) if true:IRS faces class action lawsuit over theft of 60 million medical recordsThe Internal Revenue Services is now fa…

Đọc thêm »

But don't worry, your EHR information is secure

My last reminder of this issue was almost a half-year ago, but I think a repeat is in order. <br /><br />More bugs squashed: <br /><br /><a href="http://www.zdnet.com/microsoft-fixes-critical-windows-ie-flaws-for-patch-tuesday-7000012352/" target="_blank">Microsoft fixes critical Windows, IE flaws for Patch Tuesday</a><br /><br /><blockquote class="tr_bq">Microsoft has released four critical security updates for Windows and Internet Explorer, along with a bevy of other products, in order to <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-mar">protect against at least 19 vulnerabilities</a> identified in its software.<br /><br />On deck this month, there are four "critical" vulnerabilities that affect Windows, Internet Explorer, Office, and Windows Server, including one for Silverlight that affects both Windows and Mac machines.<br /><br />The most severe Internet Explorer flaw affected all versions of Windows XP (Service Pack 3) and above, including Vista, Windows 7, and Windows 8 — including tablets running Windows RT — running Internet Explorer 6 and above. <b>The flaw could have allowed a hacker to access the vulnerable system with the same user rights.</b><br /><br />... The <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-mar">other vulnerabilities rated as "important"</a> could allow data and information disclosure, or an elevation of privileges on affected machines. These affect SharePoint, OneNote, Outlook for Mac, and kernel-mode drivers in Windows-based machines. </blockquote><br />I note that Windows XP is now more than a decade old, but Windows RT is brand-spanking new. <br /><br />In a Nov. 2012 post somewhat vexatiously entitled "<a href="http://hcrenewal.blogspot.com/2012/11/why-its-crazy-to-want-your-most.html" target="_blank">Why It's Crazy to Want Your Most Confidential Information Put into An Electronic Medical Records System</a>" about Windows 8 flaws, <b>I had indicated how common Microsoft products were in hospital IT.</b><br /><br />I stand by that vexatious title.<br /><br />But don't worry, your confidential medical information is secure, and your safety against malfunctioning IT that loses your critical medical information after hackers invade is assured, in our current rushed national health IT rollout.<br /><br />What is the answer?  Until this technology has significantly been secured and debugged, this old triad applies:<br /><br /><ul><li>If you want your information secure, don't put it on a computer.</li><li>If you must put it on a computer but still want some degree of security, don't put the computer on a network.</li><li>If you must put the computer on a network, especially a network connected to the Internet, your information is no longer secure.  </li></ul>It's premature in my view to be building and operationalizing national health records networks.  Unless, that is, patient information privacy, security and confidentiality are secondary considerations.<br /><br />(In my view, they are seen by the national IT builders and promoters as secondary considerations, but the builders and promoters will never admit it, perhaps even to themselves.)<br /><ul></ul>-- SS <br /><br />

But don't worry, your EHR information is secure

My last reminder of this issue was almost a half-year ago, but I think a repeat is in order. More bugs squashed: Microsoft fixes critical Windows, IE flaws for Patch TuesdayMicrosoft has released four…

Đọc thêm »

Senator Stephen H. Martin of Virginia: proposed limitations on use, storage, sharing, & processing of electronic medical record data

Here's a politician who certainly seems concerned with the <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy" target="_blank">privacy and confidentiality</a> and <a href="http://hcrenewal.blogspot.com/2009/04/have-we-suffered-complete-breakdown-in.html" target="_blank">flawed-analysis</a> downsides of electronic health records -  <a href="http://lis.virginia.gov/cgi-bin/legp604.exe?131+mbr+S41" target="_blank">Senator Stephen H. Martin</a> <span style="font-size: small;">of Virginia<span style="font-size: small;">:</span></span><br /><br /><hr size="1" /><div class="topLine"></div><div class="topLine"><b><a href="http://lis.virginia.gov/cgi-bin/legp604.exe?131+sum+SB1275" target="_blank">SB 1275</a> Medical data in an electronic or digital format; limitations on use, storage, sharing, & processing. </b></div><h4>SUMMARY AS INTRODUCED:</h4><blockquote class="tr_bq"><b>Medical data</b>. Prohibits any person that regularly stores medical data in an electronic or digital format from (i) participating in the establishment or implementation of the Nationwide Health Information Network; (ii) performing any analytic or statistical processing with regard to any medical records from multiple patients for purposes of medical diagnosis or treatment, including population health management; or (iii) processing medical data at a facility within the Commonwealth in any instance where a majority of the patients whose medical data is being processed do not reside in the Commonwealth. A database at which medical data is regularly stored in an electronic or digital format shall not store or maintain in a manner that is accessible by the operator or any other person, in an electronic or digital format, at any one time, medical data regarding more than 10,000 patients. </blockquote><br />Of note, the bill also counters the coercive aspects of the HITECH bill, stealthily sneaked into the Economic Recovery Act (ARRA) without so much as a peep of public comment, thanks to the Health IT lobby (as described by Robert O'Harrow Jr. in the WaPo in May 2009, see <a href="http://hcrenewal.blogspot.com/2009/05/machinery-behind-healthcare-reform-how.html" target="_blank">here</a>):<br /><br /><blockquote class="tr_bq"><b>The measure provides that any health care provider shall not be subject to any penalty, sanction, or other adverse action resulting from its failure or refusal to implement an online computerized medical record system. </b>A patient's consent to the sharing of his health care information shall be presumed not to grant consent to the electronic or digital storing or transmission of the information to any person other than for health care coverage purposes. Finally, the measure prohibits the Commonwealth from authorizing the establishment or operation of a health information exchange. </blockquote><br />The proposal seems authoritarian in terms of use of aggregated, de-identified medical data for public health purposes.  In the current environment, however, of health IT hyper-exuberance, misuse of medical data (e.g., putting it up for sale as at <a href="http://hcrenewal.blogspot.com/2009/10/private-medical-records-offered-for.html" target="_blank">link</a>, <a href="http://hcrenewal.blogspot.com/2009/10/health-it-vendors-trafficking-in.html" target="_blank">link</a>) and repeated major security breaches, perhaps a return to sanity requires putting the brakes on - hard - and performing a 'system reset.'<br /><br />It's clear the hyperenthusiasts will not like this proposed legislation. <br /><br />-- SS

Senator Stephen H. Martin of Virginia: proposed limitations on use, storage, sharing, & processing of electronic medical record data

Here's a politician who certainly seems concerned with the privacy and confidentiality and flawed-analysis downsides of electronic health records -  Senator Stephen H. Martin of Virginia:SB 1275 Medic…

Đọc thêm »

Why It's Crazy to Want Your Most Confidential Information Put into An Electronic Medical Records System

Besides the reasons I outlined in posts retrievable by these query links (<a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality" target="_blank">link</a>, <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy" target="_blank">link</a>), there's this from ZDNet.com:<br /><br /><blockquote class="tr_bq"><a href="http://www.zdnet.com/microsoft-warns-of-first-critical-windows-8-rt-security-flaws-7000007175/?s_cid=e539" target="_blank">Microsoft warns of first critical Windows 8, RT security flaws </a><br /><br />It's been less than a month since Windows 8 and Windows RT-powered Surface tablets were launched and went on sale, but Microsoft is already warning that the two next-generation operating systems contain <a href="http://technet.microsoft.com/en-us/security/bulletin/ms12-nov">critical security vulnerabilities that are due to be patched</a> this coming Tuesday.<br /><br />Among the various flaws, <b>versions from Windows XP (Service Pack 3) all the way through to Windows 8 are affected</b>, including versions of the Office suite, and versions of Windows Server. Released only in September, Windows Server 2012 requires patching to maintain maximum security.<br /><br />The latest vulnerabilities include three critical security vulnerabilities for Windows 8, and one critical security vulnerability for the Surface-based Windows RT operating system. These flaws are considered "critical" and could allow remote code execution on vulnerable systems. </blockquote><br />I note that Windows XP was released worldwide for retail sale on <a href="http://en.wikipedia.org/wiki/Windows_XP" target="_blank">October 25, 2001</a>, which was more than eleven years ago.  That security vulnerabilities are still being patched in 2012 is stunning.  Also, many enterprise information systems and most hospital clients (workstations) run on Windows-based servers and Windows installed local machines (UNIX, MacOS and other OS's are very rare on general-purpose hospital workstations).<br /><br />From a Microsoft website <a href="http://www.microsoft.com/industry/government/health/physician.aspx" target="_blank">here</a>: <br /><br /><div style="padding-left: 20px;"><div class="contentText1 padding_btm1">... The partners listed below are CCHIT 07/08 certified and fully utilize the Microsoft database and server platform.</div><div><table border="0" cellpadding="2" cellspacing="0" style="width: 100%px;"> <tbody><tr align="left" class="padding_btm1" valign="top"> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#Abraxas_Medical_Solutions">Abraxas Medical Solutions</a> </td> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#gehealthcare">GE Healthcare</a> </td> </tr><tr align="left" class="padding_btm1" valign="top"> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#Allscripts">Allscripts</a> </td> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#gMed">gMed</a> </td> </tr><tr align="left" class="padding_btm1" valign="top"> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#Aprima_Medical_Software_Inc.">Aprima Medical Software Inc.</a> </td> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#Greenway_Medical_Technologies">Greenway Medical Technologies</a> </td> </tr><tr align="left" class="padding_btm1" valign="top"> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#ASG_Software_Solutions">ASG Software Solutions</a> </td> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#Henry_Schein">Henry Schein, Inc.</a> </td> </tr><tr align="left" class="padding_btm1" valign="top"> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#Eclipsys">Eclipsys</a> </td> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#McKesson">McKesson</a> </td> </tr><tr align="left" class="padding_btm1" valign="top"> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#e-MDs">e-MDs</a> </td> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#NextGen">NextGen</a> </td> </tr><tr align="left" class="padding_btm1" valign="top"> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#GEMMS">GEMMS, Inc.</a> </td> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#urochartehr">UroChartEHR</a> </td> </tr><tr align="left" class="padding_btm1" valign="top"> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx#gloStream">gloStream</a> </td> <td><a class="normalLink" href="http://www.microsoft.com/industry/government/health/physician_partners.mspx">Learn more about our partners</a> </td> </tr></tbody></table></div></div><div><br />This partial list includes many very large HIT sellers.  There are many others as well.</div><br />By simple reckoning, it's likely we'll be seeing critical security vulnerabilities in Windows 8 - in 2023.<br /><br />It goes without saying that these security problems will continue to be exploited by identity thieves, medical information merchants, and others with no rights to "protected" information. <br /><br />In my opinion, the (still not yet realized) convenience of being able to have one doctor transmit your record to another, thus avoiding a FAX machine, the Postal Service or the telephone, and the <a href="http://hcrenewal.blogspot.com/2012/09/wsj-koppel-and-soumerai-major-glitch.html" target="_blank">trillion-dollar</a> "solution" to the nearly non-existent problem of being found unconscious in some foreign land with no ID, no companions, and some hidden, critical medical condition not findable on physical exam and bloodwork, EKG, x-rays etc. that will cause death if not treated in minutes, is not worth the risk of having one's most private information spilled all over the Internet.<br /><br />EHR's should not be accessible on networks beyond a physician's office or the robustly encrypted network of a hospital, and the information security personnel kept on very short leashes, for the foreseeable future.<br /><br />I am unwilling to cede my own privacy to cybernetic utopians who ignore alarming evidence - plain to see at the aforementioned query links at the top of this post - nor can I in good faith recommend doing so to the public in 2012.<br /><br />Considering the information in the many posts at the aforementioned query links (as here: <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality" target="_blank">link</a>, <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy" target="_blank">link</a> -- be aware you need to hit "older posts" at the bottom of each page to see all of them), that position is straightforward. <br /><br />-- SS<br /><br /><b>11/9/2012 Addendum:</b><br /><br />Also see my Oct. 2012 post "<a href="http://hcrenewal.blogspot.com/2012/10/computer-viruses-are-rampant-on-medical.html" target="_blank">Computer Viruses Are 'Rampant' on Medical Devices in Hospitals</a>." <br /><br />-- SS

Why It's Crazy to Want Your Most Confidential Information Put into An Electronic Medical Records System

Besides the reasons I outlined in posts retrievable by these query links (link, link), there's this from ZDNet.com:Microsoft warns of first critical Windows 8, RT security flaws It's been less than a …

Đọc thêm »

Computer Viruses Are "Rampant" on Medical Devices in Hospitals

As if there weren't enough problems with hospitals as computing backwaters, now there's this:<br /><br /><blockquote class="tr_bq"><a href="http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices/" target="_blank"><b>Computer Viruses Are "Rampant" on Medical Devices in Hospitals</b></a><br /><br />A meeting of government officials reveals that medical equipment is becoming riddled with malware.<br /><br />Technology Review<br />Published by MIT<br />David Talbot<br />Wednesday, October 17, 2012 <br /><br />Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.<br /><br /><b>While no injuries have been reported</b>, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.</blockquote><br />I note the seemingly universal refrain<b> </b>"<b>no injuries have been reported</b>" once more (see <a href="http://hcrenewal.blogspot.com/search/label/Patient%20care%20has%20not%20been%20compromised" target="_blank">this query link</a> to similar statements regarding IT malfunctions), which is irrelevant since reporting mechanisms for medical errors are <a href="http://www.seattlepi.com/local/article/Despite-law-medical-errors-likely-go-unreported-889076.php" target="_blank">noted to be deficient</a>.<br /><br /><blockquote class="tr_bq">Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals.  <b><span style="color: red;"><i>[I note that it should be impermissible to connect "alien" machines to a hospital<span style="color: black;">'s</span> network without authorization, and that attaining that level of security protection is not difficult - ed.] </i></span> </b>The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.<br /><br />In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are <b>running on older Windows operating systems that manufactures will not modify or allow the hospital to change</b>—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says.</blockquote><br />In other words, let's run at high risk if it avoids the time and expense of FDA reviews that would ensure the equipment is safe and operates as expected with the software updates.<br /><br /><blockquote class="tr_bq">As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel.</blockquote><br />It is unclear how the servers running the hospital information system, electronic health records systems, physician order entry systems etc. are immune to spread of the malware.<br /><blockquote class="tr_bq"><br />"I find this mind-boggling," Fu says. "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."<br /><br />The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security and Privacy Advisory Board, of which Fu is a member, in Washington, D.C. At the meeting, Olson described <b>how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.</b></blockquote><br />In its face, that is potentially catastrophic depending on the degree of "slowdown" and whether data is lost.<br /><br /><blockquote class="tr_bq"><b>"It's not unusual for those devices, for reasons we don't fully understand, to become compromised to the point where they can't record and track the data,</b>" Olson said during the meeting, referring to high-risk pregnancy monitors. "Fortunately, we have a fallback model because they are high-risk [patients]. They are in an IC unit—there's someone physically there to watch. <b>But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction."</b></blockquote><br />The reasons seem obvious to anyone who's had a serious malware infection on their PC.  I've only had one - a computer I bought at a fleamarket for $7 was so severely infected it was unusable for even basic tasks, and was resistant to virus removal.  I solved that problem by installing a fresh copy of the OS, immediately followed by all patches and the latest anti-malware software.<br /><br /><blockquote class="tr_bq">The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved, Olson said in a subsequent interview.</blockquote><br />This implies the older systems were running on Win 98 or earlier or an old version of Win NT.  Amazing.<br /><br /><blockquote class="tr_bq">At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.<br /><br />Olson told the panel that infections have stricken many kinds of equipment,<b> raising fears that someday a patient could be harmed.</b> "We also worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can't be used, or they become compromised to the point where their values are adjusted without the software knowing," he said. He explained that when a machine becomes clogged with malware, it could in theory "miss a couple of readings off of a sensor [and] erroneously report a value, which now can cause harm."</blockquote><br />I opine that harm could already have occurred; it just may not been recognized as such nor reported.  Disappearing data and other EHR failure modes known to have caused harm and/or deaths could be related to malware, for example.<br /><br /><blockquote class="tr_bq">... Malware problems on hospital devices <b>are rarely reported to state or federal regulators</b>, both Olson and Fu said. This is partly because hospitals believe they have little recourse. Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed. "Maybe that's a failing on our part, that we aren't trying to raise the visibility of the threat," Olson said. "But I think we all feel the threat gets higher and higher."</blockquote><br />I note that health IT related problems are also rarely reported, with only one vendor being the exception (see my post on the <b>FDA MAUDE</b> voluntary reporting database <a href="http://hcrenewal.blogspot.com/2011/01/maude-and-hit-risk-mother-mary-what-in.html" target="_blank">here</a>).  The reasons likely are not because "hospitals believe they have little recourse" - the real reasons may be fear, complacency and/or incompetence.<br /><blockquote class="tr_bq"><br />Speaking at the meeting, Brian Fitzgerald, an FDA deputy director, said that in visiting hospitals around the nation, he has found Beth Israel's problems to be widely shared. <b>"This is a very common profile," </b>he said. The FDA is now reviewing its regulatory stance on software, Fitzgerald told the panel. "This will have to be a gradual process, because it involves <b>changing the culture,</b> changing the technology, bringing in new staff, and making a systematic approach to this," he said.</blockquote><br />Changing the culture would be nice, considering we are now entering a national rollout of complex enterprise clinical resource and workflow control systems anachronistically known as "electronic medical records."<br /><br /><blockquote class="tr_bq">In an interview Monday, Tam Woodrum, a software executive at the device maker GE Healthcare, said manufacturers are in a tough spot, and the problems are amplified as hospitals expect more and more interconnectedness. He added that despite the FDA's 2009 guidance, regulations make system changes difficult to accomplish: "In order to go back and update the OS, with updated software to run on the next version, <b>it's an onerous regulatory process."</b></blockquote><br />My comment is, if you can't take the heat of work in the real-world medical setting, if you cannot be part of the medical team, then get out of the clinic.  You're likely to do more harm than good.<br /><br /><blockquote class="tr_bq">John Halamka, Beth Israel's CIO and a Harvard Medical School professor, said he began asking manufacturers for help in isolating their devices from the networks after trouble arose in 2009: the Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that "could not be patched due to [regulatory] restrictions." He said, "No one was harmed, but we had to shut down the systems, clean them, and then isolate them from the Internet/local network."<br /><br />He added: "<b>Many CTOs <span style="color: red;"><i>[chief technology officers - ed.]</i></span> are not aware of how to protect their own products with restrictive firewalls</b>. All said they are working to improve security but have not yet produced the necessary enhancements."</blockquote><br />Then why are they CTO's?<i><b> </b></i> Is this the phenomenon of generic or underqualified managers rearing its head?<i><b><br /></b></i><br /><blockquote class="tr_bq"><br />Fu says that medical devices need to stop using insecure, unsupported operating systems. "More hospitals and manufacturers need to speak up about the importance of medical-device security," he said after the meeting. "<b>Executives at a few leading manufacturers are beginning to commit engineering resources to get security right</b>, but there are thousands of software-based medical devices out there."</blockquote><br />One can only wonder if others have done a Ford Pinto cost-benefit analysis and decided the costs of settlement from injured and dead patients is less than the cost of remediation. <br /><br />-- SS

Computer Viruses Are "Rampant" on Medical Devices in Hospitals

As if there weren't enough problems with hospitals as computing backwaters, now there's this:Computer Viruses Are "Rampant" on Medical Devices in HospitalsA meeting of government officials reveals tha…

Đọc thêm »

Bad health IT and its effects on willingness of patients to share sensitive information

I call your attention to this video from the <b>2nd International Summit on the Future of Health Privacy</b> where HC Renewal occasional contributor Dr. Scott Monteith, a psychiatrist, presents on how health IT damages the physician-patient relationship, the bedrock of good medicine, in one case via an inexcusable health IT defect.<br /><br />The defect nearly cost a woman her good reputation - and her child - by "transforming" coffee drinking into solvent sniffing.<br /><br />The video is here:  <a href="http://www.healthprivacysummit.org/events/2012-health-privacy-summit/custom-129-ec40d08a35f947e487f68a5f534a9e82.aspx">http://www.healthprivacysummit.org/events/2012-health-privacy-summit/custom-129-ec40d08a35f947e487f68a5f534a9e82.aspx</a><br /><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://www.healthprivacysummit.org/events/2012-health-privacy-summit/custom-129-ec40d08a35f947e487f68a5f534a9e82.aspx" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS2ctf3aR4Od2Bas-tSrdYlO963ONIhluMMnfJ4PqF6gnU2QE8aefxAY08YzO3AgjN8hxWUT18SOKNirUmulqLb1Zbg7mzNbET9VfcD6g8SM1xA5JVVOCFhfXt3iPPs-E4za0PXHd0Vv76/s320/monteith.jpg" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Dr. Monteith on how bad health IT damages trust.  <b>See video <a href="http://www.healthprivacysummit.org/events/2012-health-privacy-summit/custom-129-ec40d08a35f947e487f68a5f534a9e82.aspx" target="_blank">at this link</a></b> starting at 4:40.</td></tr></tbody></table><br />Dr. Monteith starts at 4:40 when he is asked<br /><br /><blockquote class="tr_bq"><i><b>"Do you feel HIT affects the willingness of patients to share sensitive information with providers?"</b></i></blockquote><br />His answer is a definite <b>"yes"</b>, and the video should be seen to understand his reasons, the largest one being the trust that is injured by this technology as currently (mal)implemented, failing to maintain privacy, data integrity, affecting doctor-patient interaction (e.g., due to poor usability), etc.<br /><br />His two examples where HIT has injured trust, resulting in decreased willingness of patients to share sensitive information:<br /><br /><ul><li>A patient feared <b>compromised privacy</b> regarding psychiatric information (a fear that was certainly well-justified in view of ABC's recent expose of health IT breaches as I wrote about at my Sep. 14, 2012 post "<a href="http://hcrenewal.blogspot.com/2012/09/a-reason-to-refuse-use-of-ehrs-in-your.html">A Reason to Refuse Use of EHR's in Your Health Care, and Demand Paper</a>.")</li></ul><ul><li>An error in EHR-generated record <b>affecting a child custody battle, with a husband alleging unfitness of the mother due to substance abuse. </b> The EHR incorrectly showed a damaging diagnosis due to both a data mapping flaw (lumping multiple diagnoses under the same code) and a user interface flaw (permitting all of the diagnoses lumped under that code to not be seen, only the worst one) <b>that transformed caffeine (i.e., coffee) overuse to "inhalant abuse."</b>  </li></ul><br />Stunningly, Dr. Monteith reported the error was not remediated even after several years.<br /><br />As seen by the voluntary reports submitted by one of many HIT sellers (<a href="http://hcrenewal.blogspot.com/2011/01/maude-and-hit-risk-mother-mary-what-in.html" target="_blank">link</a>), the only one that seems to do so, and some involuntary ones such as at <a href="http://google2.fda.gov/search?q=pulsecheck&client=FDAgov&site=FDAgov&lr=&proxystylesheet=FDAgov&output=xml_no_dtd&getfields=*&ie=UTF-8&ip=98.114.36.41&access=p&sort=date:D:L:d1&entqr=3&entqrm=0&oe=UTF-8&ud=1&filter=0" target="_blank">this link</a>, these issues are just the <b>"tip of the iceberg."</b> That exact phrase was uttered by a senior FDA official himself, reflecting known severe impediments to information diffusion on harms, as I reported <a href="http://hcrenewal.blogspot.com/2010/02/fda-on-health-it-adverse-consequences.html" target="_blank">at this link</a>.<br /><br />Yet the government (e.g., HHS's <a href="http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__onc/1200" target="_blank">Office of the National Coordinator for Health Information Technology</a>, ONC) and IT industry push this technology like candy, emphasizing largely unproven benefits and completely ignoring downsides such as damaged trust, damaged reputations that could have cost a woman custody of her child, and damaged bodies.<br /><br />A video of an attorney personally affected by these issues is at this link:   <a href="http://www.healthprivacysummit.org/events/2012-health-privacy-summit/custom-137-ec40d08a35f947e487f68a5f534a9e82.aspx">http://www.healthprivacysummit.org/events/2012-health-privacy-summit/custom-137-ec40d08a35f947e487f68a5f534a9e82.aspx</a><br /><br />-- SS

Bad health IT and its effects on willingness of patients to share sensitive information

I call your attention to this video from the 2nd International Summit on the Future of Health Privacy where HC Renewal occasional contributor Dr. Scott Monteith, a psychiatrist, presents on how health…

Đọc thêm »

A Good Reason to Refuse Use of Today's EHR's in Your Health Care, and Demand Paper

I've written before that health IT, including the technology and the social infrastructure in which it resides, is not ready for widespread diffusion.  Its widespread dissemination (on largely economic grounds) at this point in its development is premature, and is destructive.<br /><br />So much, in fact, that I am considering demanding that any physician I see or hospital I visit use paper records, not any EHR they have available.<br /><br />Think that extreme?  In the real world as it exists today, <i>perhaps the notion that one should freely spill one's deepest confidences into an insecure EHR system</i> is the extreme view. <br /><br />The reason (aside from the risk today's clinical information technology presents):  yet another addition to my series of posts on health IT privacy breaches <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy" target="_blank">at this query link</a>, <b>this time from ABC News:</b><br /><br /><blockquote class="tr_bq"><b><a href="http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986" target="_blank">Your Medical Records May Not Be Private: ABC News Investigation</a></b><br /><br />BY JIM AVILA (@JimAvilaABC) AND SERENA MARSHALL (@SerenaMarsh) <br /><br />Sept. 13, 2012 <br /><br />Psychiatric Therapy Notes Get Shared Within One Health Care System; and Other Info Spreads on a Black Market<br /><br />You walk into the doctor's office. They lead you to a private room and shut the door. The nurse enters writes on a chart (or maybe an iPad) and shuts the door. A doctor enters and shuts the door. <br /><br />It all screams of privacy -- privacy you expect. <br /><br />But what if you were to find out those medical records containing your <b>private history, family history and medication history weren't so private after all? </b></blockquote><br />Considering electronic breaches in other sectors, and the fact that hospitals' core competencies do not include computing or computer security, why would anyone expect privacy?<br /><br /><blockquote class="tr_bq">Julie, a lawyer from Boston, discovered that her sensitive health information was available to anyone who worked at the hospital. <b> (See video of Julie <a href="http://www.healthprivacysummit.org/events/2012-health-privacy-summit/custom-137-ec40d08a35f947e487f68a5f534a9e82.aspx" target="_blank">at this link</a>).</b></blockquote><br />For an attorney who might be involved in nasty litigation, that is not a career-enhancing prospect.<br /><br /><blockquote class="tr_bq">"My expectation was that my records were going to be private, especially my therapy records," Julie said. "And if another doctor wanted to see my records, they'd ask me and then I'd give my authorization for them to view my records if they needed to see them." </blockquote><br />In an ideal world not pervaded by inappropriate leadership of health IT and incompetence, perhaps.<br /><br /><blockquote class="tr_bq">Julie, who requested her last name not be used, was diagnosed with in her late teens and began seeing a psychiatrist in 2002 after speaking with her primary care physician. <br /><br />She, like millions of Americans, thought her conversations with her psychiatrist were confidential. <br /><br />"I thought I had protection under HIPAA (the Health Insurance Portability and Accountability Act) for my psychotherapy notes to be private and I thought only my psychiatrist could see those," the 42-year-old said, adding that she noticed over the years her physician started entering them electronically. </blockquote><br />A law is only as good as the technology and people behind it, and technology and the people may not be so good:<br /><br /><blockquote class="tr_bq">According to the HHS Health Information Privacy Tool, there were at least 78 breaches so far this year affecting 500 or more individuals, <b>many affecting thousands, some tens of thousands. </b><br /><br />Known to those in the health IT world as the "Wall of Shame," the HHS site lists more than <b>21 million individuals who have been victims to date. </b><br /><br />The Privacy Rights Clearinghouse found more than 130 breaches so far in 2012 -- breaches affecting any number of individuals. </blockquote><br />Try that with paper...how many 18-wheel trucks would it take to haul 21 million charts?<br /><br /><blockquote class="tr_bq">What she didn't realize was that her physician's notes could be accessed by doctors and other health-care providers who worked in the same health-care system (6,000 doctors and nine affiliated hospitals) to have access -- information she learned after going to see an on-call physician for a stomach issue and realizing he knew about intimate relationship information only disclosed to her psychiatrist. <br /><br />Concerned, she requested a copy of her medical records from the health care system. <br /><br />Within those records she saw every note, every meeting, every conversation she had with her psychiatrist. <br /><br />"It was pretty traumatic because I felt that, you know, this man read without -- against my wishes -- without my consent," Julie said. "He read private information that I disclosed to a therapist that I didn't even tell my best friends about." </blockquote><br />There are supposed to be multiple levels of access security in EHR's, but that has to 1) work properly out of the box, 2) be implemented properly, and 3) be enforced.  That's three very large assumptions...<br /><br /><blockquote class="tr_bq">And while most hospitals have rules about who may access medical records, <b>compliance for the most part is not strictly regulated. </b></blockquote><br />Indeed.<br /><br /><blockquote class="tr_bq">In fact, an ABC News investigation found that often medical information is so unprotected, millions of records can be bought online. Because so many people have access, <b>the entire system is vulnerable to theft,</b> experts told ABC News. </blockquote><b><br /></b><b>These are an on-their-face reasons to refuse entry of your data in EMR systems.</b><br /><br /><blockquote class="tr_bq">To see exactly how easy it was to find medical records online, ABC News enlisted the help of IT specialist Greg Porter, a consultant with Allegheny Digital. <br /><br />"This isn't very sophisticated," Porter said. "If you can use a Web browser and you can search to www.google.com, you can begin to try and obtain some of this information." <br /><br />With two clicks of a mouse, Porter found somebody willing to sell a data dump of diabetic patients with information including their names, birth dates and who their insurance provider was, among other details. Another seller offered 100,000 records of customers who purchased health insurance in the last three to 12 months. <br /><br />"Typically, what we find are things like first name, last name, address, medical condition, whether they were a smoker, diabetic patient, perhaps even as intensive as, or invasive as whether they are HIV-positive or not," Porter said. "Some of the most intimate information about all of us potentially could be revealed<b> if appropriate safeguards aren't put in place. </b></blockquote><br />Putting appropriate "safeguards" into place hurts healthcare organizations' bottom lines.<br /><blockquote class="tr_bq"><br />Security professionals are seeing an increase in theft via the "insider threat," Porter said. <br /><br />"It's a depressed global economy," Porter added. Thieves might approach medical staff and offer upward of $500 per week for providing 20 to 25 insurance claim forms, medical records or health financing records, Porter said. Those documents fall under HIPAA security rules and are considered protected health information. </blockquote><br /><b>Could never happen, right?</b><br /><br /><blockquote class="tr_bq">In June, a hospital medical technician at Howard University pleaded guilty to selling patient information, including names, birth dates and Medicare numbers, for $500 to $800 per transaction for more than a year. <br /><br />In August, a hospital employee at Florida Hospital Celebration was arrested for accessing more than 700,000 patient records in two years. <br /><br />According to the FBI, Dale Munroe accessed car accident victims' date and sold it to someone who passed it on to chiropractors and attorneys. <br /><br />And this week, the University of Miami Health System said that two workers had "inappropriately" accessed patient data and "may have sold the information to a third party." <br /><br />On the black market, "health information is far more valuable than Social Security numbers," said Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights. </blockquote><br /><i>I stand corrected. </i><br /><br /><blockquote class="tr_bq">ABC News' searches found one seller offering database dumps for $14 to $25 per person. After a quick email inquiry into the sale of records, ABC News was sent, unsolicited, 40 individuals' private health information, including their names, addresses and body mass index. <br /><br />Another inquiry yielded an offer of more than 100 records that, if purchased, would have included everything from Social Security numbers <b>to whether someone suffered from anxiety or hypertension, or even their HIV status. </b><br /><br />ABC News contacted patients from one of the lists to see if they knew their information was being sold over the Internet and if they had consented. <br /><br />One victim named Rafael said he had not "recalled" giving anyone permission to sell his information. <br /><br />"I'm appalled, I'm disgusted and I'm very much concerned," Rafael said. "Who's giving out my personal information like that? I thought there were security and safeguards for these things. I thought … your medical records are confidential." </blockquote><br /><br />So, in addition to the risks to good care posed by today's EHRs, now one has to be concerned about risks to one's privacy, damage to one's career, and to one's financial health as well.<br /><br /><blockquote class="tr_bq">... [Privacy advocate Dr. Deborah] Peel believes ways to fix the privacy vulnerabilities are available. "Technologies exist today to allow you to selectively share parts of your record that are relevant on a need-to-know basis with your other physicians and no one else, but we don't have those technologies in wide use," she said. </blockquote><br />Not in the short term, unfortunately.<br /><br /><blockquote class="tr_bq">For Julie, privacy is a battle she continues to fight. <br /><br />"I asked … please restrict the records and of course they said 'No,'" she said. </blockquote><br />Great.  How reassuring.<br /><br /><blockquote class="tr_bq">"Let me also assure you that our physicians and other staff access information on a strictly 'need to know' basis and as such, we do not restrict access to clinical information from any department or physician," the hospital told her. "I take your concerns very seriously and understand your need for privacy with your psychiatric records. <b>Sometimes it can be a challenge to balance access to records for patient care purposes with the need for privacy." </b></blockquote><br />Bullsh*t, I say, having led EMR implementations at large hospitals where these exact issues were considered.<br /><br /><blockquote class="tr_bq">Since discovering her records were available to the whole health system, Julie has stopped seeking care out of concerns for her privacy. </blockquote><br />That. of course, destroys the whole purpose of electronic records to "improve access" to "accurate medical information."<br /><br /><blockquote class="tr_bq">... In sharing her story, Julie wanted to come forward for those who couldn't. <br /><br />"The difference in this situation is I actually chose to come here and I actually chose what I'm gonna say and what I'm not gonna say; but when my medical information is available to everybody, I don't have that decision," she said. <b>"Somebody else is making that decision for me and that really makes me feel violated.</b> So that's why I'm here: Because I think it's a really big problem and I wanted to do something about it. " </blockquote><br />The people who in essence are "making that decision for me" are technologists, or technology <b>hyper-enthusiasts</b>, who ignore technology's downsides and ethical considerations.  I defined that defective character type at <a href="http://hcrenewal.blogspot.com/2012/03/doctors-and-ehrs-reframing-modernists-v.html" target="_blank">this post</a>.<br /><br />The <b>systemic technological and attitudinal problems (further) exposed </b>by this ABC investigation cannot reasonably be expected to be fixed, and probably <b>cannot</b> be fixed, in a short time frame.<br /><br />Thus,<b> </b>I suggest patients who do not desire to be guinea pigs on health information security, privacy and confidentiality <b>consider refusing use of EHR's</b> to record and diffuse their confidential medical information. A person should not be coerced to risk their privacy and financial security while the health IT industry "gets its act together."<br /><br />On a pragmatic basis alone in 2012, the risk-to-benefit ratio may simply be too high.  For instance, what are the odds that you'll be found unconscious and without contact information in some distant land, vs. privacy breach or ID theft from an EHR?<br /><br />Further, there is no legal requirement that electronic records be used for rendering of medical care.  There is also no legal requirement that <b>live patients consent to be used as test subjects</b> for hospitals and software companies in refining their IT systems ("beta testing") to make them secure.<br /><br />If a physician or hospital refuses to honor the request, and/or refuses to provide care,<b> litigation should be pursued.</b><br /><br />-- SS

A Good Reason to Refuse Use of Today's EHR's in Your Health Care, and Demand Paper

I've written before that health IT, including the technology and the social infrastructure in which it resides, is not ready for widespread diffusion.  Its widespread dissemination (on largely economi…

Đọc thêm »

EHR sabotage for ransom: Try this with paper!

I have frequently written that health IT, touted as a technology that will deterministically "transform medicine", allows (aside from clinical chaos) new sorts of problems, such as information security abuses en masse, to occur.  See this query link for numerous postings on that topic:  <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy">http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy</a><br /><br />I am not, of course, advocating a return to paper; I am in fact "pro-good IT" but "anti-bad IT."<br /><br />"Bad IT" is IT that interferes with quality patient care for any reason, permits evidence spoliation, permits overbilling, exposes confidential medical information to unauthorized parties, etc.<br /><br />Here is another example of unintended consequences of bad health IT.  Try this trick with paper:<br /><br /><blockquote class="tr_bq"><a href="http://www.cio.com/article/713605/Attackers_Demand_Ransom_After_Encrypting_Medical_Center_s_Server" target="_blank">Attackers Demand Ransom After Encrypting Medical Center's Server</a><br />John E Dunn, Techworld <br />August 14, 2012  <br /><br />Details have emerged of an extraordinary data breach incident in which a U.S. medical practice <b>had thousands patient records and emails encrypted by attackers who then demanded a ransom to unscramble the data.</b><br /><br />The incident appears to have come to light after a security blogger 'Dissent Doe' noticed a data breach report made by <b>Illinois-based The Surgeons of Lake County medical centre</b> to the US Department of Health and Human Services.<br /><br />According to a small newswire that reported events, attackers were able to compromise one of the medical centre's servers, encrypting its contents including <b>7,067 patient records and a quantity of emails.</b><br /><br />The first the centre knew about the attack was on 25 June when a ransom note for an undisclosed sum was posted on the server, at which point it was turned off.<br /><br />It is not clear whether the data was recovered through backups but the organisations reported the incident to the police and Department of Health.<br /><br />... What marks the compromise out from almost every data breach attack recorded is that the attackers opted to extort the victim organisation rather than attempting to sell or exploit the data itself. <i style="color: red;"><b> [Cyber criminals should never be assumed to be uncreative - ed.]</b></i><br /><br />It remains unlikely that the intention was to abuse this data directly; having occurred only days before the extortion note was received, the criminals would normally want a longer period to execute data and identity theft crimes. Most data theft criminals attempt to go undetected for this reason.<br /><br />The criminals will, nevertheless,<b> had access to sensitive data including names, addresses, social security and credit cards numbers plus medical records</b>, prompting the centre to inform its affected patents of the breach.<br /><br /><b>"This is a warning bell. Maybe they're the canary in the coal mine that unpredictable things can happen to data once it's digitized,"<i style="color: red;"> [you think? - ed.]</i></b> said Santa Clara University law school professor, Dorothy Glancy, quoted by Bloomberg. </blockquote><br />This incident is, quite simply, stunning.  In addition to identity theft concerns, a patient whose information was cybernetically 'held hostage' could have suffered clinically as a result.<br /><br />A warning bell indeed about "bad IT."<br /><br />-- SS<br /><br />

EHR sabotage for ransom: Try this with paper!

I have frequently written that health IT, touted as a technology that will deterministically "transform medicine", allows (aside from clinical chaos) new sorts of problems, such as information securit…

Đọc thêm »

Banking as the Standard Healthcare Should Look Up To On Medical Information Security?

At past posts "<a href="http://hcrenewal.blogspot.com/2012/03/at-my-oct.html" target="_blank">Don't Worry, Your Electronic Medical Records Are Getting Safer With Every Passing Day</a>", "<a href="http://hcrenewal.blogspot.com/2011/09/another-episode-of-dont-worry-your.html" target="_blank">Another Episode of "But Don't Worry, Your Records are Safe...</a>" and "<a href="http://hcrenewal.blogspot.com/2011/10/still-more-ehr-chaos-pandemonium-bedlam.html">Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure</a>", "<a href="http://hcrenewal.blogspot.com/2012/04/dont-worry-your-records-are-safe-part.html" target="_blank">Don't Worry, Your Records are Safe - Part IV</a>" and others, I wrote on the issue of medical record security.<br /><br />Banking has been held as the standard as to which medicine has been compared, with medicine being called archaic and behind the times for its reliance on paper.  Banking security is cited as a reason why electronic medical records can also be secured.<br /><br />There's this:<br /><br /><blockquote class="tr_bq"><b><a href="http://news.sky.com/story/952931/fraud-ring-in-hacking-attack-on-60-banks" target="_blank">Fraud Ring In Hacking Attack On 60 Banks</a>  <br /><br />June 27, 2012 <br /><br />Some 60m euro is stolen from bank accounts in a massive cyber raid, after fraudsters raid dozens of banks around the world.<br /><br />By Pete Norman, Sky News Online</b><br /><br />Sixty million euro has been stolen from bank accounts in a massive cyber bank raid after fraudsters raided dozens of financial institutions around the world.<br /><br />According to a joint report by software security firm McAfee and Guardian Analytics, more than 60 firms have suffered from what it has called an "insider level of understanding".<br /><br />"The fraudsters' objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research - Operation High Roller," the report said.<br /><br />"If all of the attempted fraud campaigns were as successful as the Netherlands example we describe in this report, <b>the total attempted fraud could be as high as 2bn euro (£1.6bn)."</b><br /><br />The automated malicious software programme was discovered to use servers to process thousands of attempted thefts from both commercial firms and private individuals.<br /><br />The stolen money was then sent to so-called mule accounts in caches of a few hundreds and 100,000 euro (£80,000) at a time.<br /><br />Credit unions, large multinational banks and regional banks have all been attacked.<br /><br />Sky News defence and security editor Sam Kiley said: "It does include British financial institutions and <b>has jumped over to North America and South America.</b><br /><br />"What they have done differently from routine attacks is that they have got into the bank servers and constructed software that is automated.<br /><br />"It can get around some of the mechanisms that alert the banking system to abnormal activity."<br /><br />The details of the global fraud come just a day after the MI5 boss warned of the new cyber security threat to UK business.<br /><br />McAfee researchers have been able to track the global fraud, which still continues, across countries and continents.<br /><br />"They have identified 60 different servers, many of them in Russia, and they have identified one alone that has been used to steal 60m euro," Kiley said.<br /><br />"There are dozens of servers still grinding away at this fraud – in effect stealing money."</blockquote><br />That's all very reassuring.   Let's put all of our personal medical secrets online ASAP.  Don't worry, your information's safe and secure.<br /><br />-- SS<br /><br /><br />

Banking as the Standard Healthcare Should Look Up To On Medical Information Security?

At past posts "Don't Worry, Your Electronic Medical Records Are Getting Safer With Every Passing Day", "Another Episode of "But Don't Worry, Your Records are Safe..." and "Still More Electronic Medica…

Đọc thêm »

More Electronic Medical Record Breaches: You Could Not Do This With Paper

I have written repeatedly on the dangers posed by poorly managed health IT regarding information breaches.  See "<a href="http://hcrenewal.blogspot.com/2012/01/2011-closes-on-note-of-electronic.html" target="_blank">2011 Closes on a Note of Electronic Medical Record Privacy Breach Shame</a>" and other posts at this query link:   <a href="http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality">http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality</a><br /><br />Now this, from Kaiser Health News and The Washington Post:<br /><br /><blockquote class="tr_bq"><a href="http://www.kaiserhealthnews.org/Stories/2012/June/04/electronic-health-records-theft-hacking.aspx" target="_blank">As Patients' Records Go Digital, Theft And Hacking Problems Grow </a><br /><div class="byline">By <span class="author">David Schultz</span></div><div class="timestamp">Jun 03, 2012</div><br />As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials. <br /><div class="nosyndication"><div class="inlineImage300"><br /></div></div>Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people. <i style="color: red;"><b> </b></i></blockquote><br /><span style="color: #660000;">With paper, you'd need a stream of trucks to accomplish this magnitude of theft:</span><br /><br /><blockquote class="tr_bq">On May 14, federal prosecutors <a href="http://dl.dropbox.com/u/37285095/Napper%20Information.pdf" shape="rect" target="_blank">charged</a> one of the hospital's medical technicians with violating the Health Insurance Portability and Accountability Act, or HIPAA. Prosecutors say that over a 17-month period Laurie Napper used her position at the hospital to gain access to patients' names, addresses and Medicare numbers in order to sell their information. A plea hearing has been set for June 12; Napper's attorney declined comment.<br /><br />Just a few weeks earlier, the hospital <a href="http://huhealthcare.com/healthcare/hospital/data-breach/FAQ" shape="rect" target="_blank">notified</a> more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients' files onto a personal laptop, which was stolen from the contractor's car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital press release, those files included names, addresses, and Social Security numbers -- and, in a few cases, "diagnosis-related information."</blockquote><br />I add that they could also probably have booted the laptop from alternate media, and/or removed the hard drive and inserted into another computer, to access the contents.<br /><br /><blockquote class="tr_bq">Ronald J. Harris, Howard University's top spokesman, said in an e-mail that the two incidents are unrelated, but declined to answer further questions. In its press release about the stolen laptop, the hospital said it will set new requirements for all laptops used by contractors and those issued to hospital personnel to help protect data.<br /><br />Still it could have been worse. Much worse.<br /><br />Just days after Howard University contacted its patients about the stolen laptop, the Utah Department of Health <a href="http://www.health.utah.gov/databreach/" shape="rect" target="_blank">announced</a> that hackers based in Eastern Europe had broken into one of its servers and <b>stolen personal medical information for almost 800,000 people -- more than one of every four residents of the state.</b></blockquote><br />How many trucks (and Stargate SG-1 style invisibility cloaks) would it take to inconspicuously steal 800,000 paper charts, I ask? <br /><br /><blockquote class="tr_bq">And last November, TRICARE, which handles health insurance for the military, <a href="http://www.tricare.mil/breach/old.htm" shape="rect" target="_blank">announced</a> that a trove of its backup computer tapes had been stolen from one of its contractors in Virginia. The tapes contained names, Social Security numbers, home addresses and, in some cases, clinical notes and lab test results for <b>nearly 5 million patients, making it the largest medical data breach since the Department of Health and Human Services began tracking incidents two and a half years ago.</b></blockquote><br />Five million charts in a country of 300 million people...<br /><br /><blockquote class="tr_bq">As recently as five years ago, it's possible no one outside Howard University would have known about the incidents there. But, <a href="http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html" shape="rect" target="_blank">new reporting rules</a> adopted as part of the 2009 stimulus act insure the public knows far more about medical data breaches than in the past. When a breach occurs that affects 500 or more patients, health care providers now must notify not only HHS, but also the media.</blockquote><br />Meaning there were breaches the public does not know about. <br /><br /><blockquote class="tr_bq">Deven McGraw, director of the health privacy project at the <a href="https://www.cdt.org/" shape="rect" target="_blank">Center for Democracy & Technology</a>, a Washington-based Internet advocacy group, said the number of incidents is growing with the increased use of digital health records. The health care industry, she added, has been slow to respond.</blockquote><br />A problem is not enough "motivation."<br /><br /><blockquote class="tr_bq">"Many financial companies have used encryption for years and they probably wonder what the heck is going on with the health care industry," McGraw said. "It's much cheaper to deploy safeguards than to suffer a breach."</blockquote><br />I offer a one word answer:  complacency. <br /><br />Now for the "spin control":<br /><br /><blockquote class="tr_bq">This growing problem puts HHS in a tough spot. It is pushing hospitals and doctors to adopt electronic health records, but it's also responsible for punishing health care providers who fail to properly secure their patients' records.<br /><br />"<b>Mistakes happen, incidents happen, corners get cut from time to time,</b>" said Susan McAndrew, deputy director for health information policy at HHS's Office of Civil Rights. "That's where we come in."</blockquote><br />"From time to time" is a rather modest description of the millions of breaches mentioned in just this posting.<br /><br /> But as I've written before, don't worry, your records are safe.<br /><br />Just don't tell the doctor about that "incident" at that seedy club the other night, and find some other excuse to get the antibiotics you need, and that information will be safe, too.<br /><br />-- SS

More Electronic Medical Record Breaches: You Could Not Do This With Paper

I have written repeatedly on the dangers posed by poorly managed health IT regarding information breaches.  See "2011 Closes on a Note of Electronic Medical Record Privacy Breach Shame" and other post…

Đọc thêm »