Portable storage media, the scourge of patient privacy

LA Times: “Altogether, 16,288 patients’ information was taken from the home of a physician whose house was burglarized on Sept. 6, according to the UCLA Health System.

The data were on the physician’s external hard drive, officials said. Though the hard drive was encrypted, a piece of paper with the password was nearby and is also missing. The physician notified UCLA the next day and officials began identifying patients affected.”

I am continuously amazed at the number of security breaches involving patient healthcare information caused by careless use of portable storage media like external hard drives, flash drives, and even laptop hard drives. Patient information should never be stored or transported this way. I believe that utilizing cloud computing with simple browser access is a much better solution. 

What makes this particular incident so bad is the cause; reckless behavior by a physician. This wasn’t UCLA’s fault, per se. Sure, the medical center must accept a share of the responsibility, the lion’s share of the blame falls in the lap of the physician. Not only did the physician have sensitive patient information on an external hard drive, but was dumb enough to have the password to access the drive on a piece of paper next to it. Kind of defeats the purpose of encryption and passwords, doesn’t it.

For an eye-opening look at the magnitude of data loss and security breaches drop by DataLossDB.org sometime. It’s scary stuff.

Patients still not diggin’ the idea of an EHR

EHR outlook: “Patients are still worried about how secure their data will be when stored in an EHR systems, a new study suggests. Xerox Corporation found that of 2,720 poll respondents:

  • 80% were concerned with stolen personal information
  • 64% were concerned with lost, damaged or corrupted files
  • 62% were concerned with the misuse of information”

I’m not surprised by the numbers. In general people are afraid of change and the unknown. With that said, I think all you need to do is walk a patient through the paper processes that we use now to give them some insight into how bad things really are. Stolen and lost personal and medical information is a major problem within the current healthcare system. It’s not uncommon in any given week to hear about patient records that have been lost or stolen. And as far as misuse of information, well lets just say that’s all too common as well.

The advantages to an EHR outweigh the concerns listed above. Just sayin’.

Imprivata OneSign Secure Walk-Away Technology

While at Innovations a couple of weeks back I stumbled across the Imprivata booth at the vendor expo. There were quite a few people gathered around the booth so I obliged my curiosity and squeezed in among the crowd. The Imprivata representatives were giving a demonstration of the company’s OneSign 4.5 application with Walk-Away technology. There must be something compelling about the Imprivata line of products as I found myself blogging about their OneSign Platform about this time last year.

The Walk-Away technology was impressive. As long as a user was standing in front of the computer camera they remained logged in. However, as soon as the user turned to walk away they were immediately logged out of their session. This is a significant step forward in managing those unattended workstations that one often finds throughout the hospital.

From the Imprivata website: “OneSign Secure Walk-Away closes a critical security gap in the protection of confidential information assets by automating the process of securing the desktop when a user ‘walks away’. Once a user has securely authenticated to the desktop using OneSign Authentication Management, OneSign Secure Walk-Away uses a combination of computer vision, active presence detection, and user tracking technologies to identify an authenticated user and automatically lock the desktop upon their departure.”

You can read more about the system here (PDF). Try as I might I could not find a video demonstration of the Walk-Away system; too bad really as the system has to be seen to be appreciated. I’m not a big fan of single sign-on systems (SSO) in general for various reasons, but I’m willing to reconsider my position when SSO is used in combination with biometric identification, voice recognition or facial recognition technology. It’s just too cool to ignore.

The cloud still slow to gain acceptance in healthcare

There’s an interesting article at InformationWeek about healthcare and the cloud. The article talks a little bit about the concerns surrounding security in the cloud and what I believe is an undeserved fear of using cloud based services and storage for healthcare information.

In the article a pediatrician that is also director of clinical informatics for Atrius Health is quoted as saying “At the moment I’m not convinced that there’s a secure enough place in the cloud or that the functionality exists for us to do everything that we need to do in the cloud. The cloud allows for a tremendous amount of interconnectivity between computers because it’s using data storage that’s free amongst different networks and I wouldn’t want healthcare information being scattered in a way that I couldn’t protect it appropriately.” I’m not sure I understand the perceived insecurity of the cloud as the existing infrastructure for storing patient information in healthcare is, by design, insecure.
Continue reading The cloud still slow to gain acceptance in healthcare

“What’d I miss?” – Week of January 24th

As usual there were a lot of things that happened during the week, and not all of it was pharmacy or technology related. Here’s a quick look at some of the stuff I found interesting.

– What’s that? Oh, Avatar is still #1 at the box office. It’s now #2 on the list of top grossing movies of all time with its crosshairs squarely set on #1.

KevinMD: “But when this health-care reform package passes, and if it does to the economy and to medical practice what many of us fear, will anyone be accountable? Will they step up and say, ‘yep, that was me! Sorry, I’ll try to fix it!’ It’s unlikely. That’s not how politics are conducted.” – Scary thought

– The Apple iPad was announced this week. It’s basically a giant iPod Touch. It isn’t available for purchase yet, but is already creating quite a buzz in heath care. Every card carrying clinician is claiming the iPad is going to revolutionize how they practice health care. I’m looking forward to getting my hands on one and spending some quality time figuring out how best to use it, but I’m a little gun shy about making claims like that.

– You can find positive blog posts on the iPad everywhere, so here a couple of negatives to help balance it out: interesting view from a 16-year old boy and another from VentureBeat and one final one from GottaBeMobile.

Hitler responds to the iPad. I find these “Hitler” videos very funny. Be warned, however, they contain some offensive language.

Here’s a tablet PC survey aimed at health care spurred on by the arrival of the iPad.

Healthcare IT Consultant Blog: “Medical records for about 4,400 UCSF patients are at risk after thieves stole a laptop from a medical school employee in November, UCSF officials said Wednesday. The laptop … stolen on or about Nov. 30 … was found in Southern California on Jan. 8. There is no indication that unauthorized access to the files or the laptop actually took place, UCSF officials said, but patients’ names, medical record numbers, ages and clinical information were potentially exposed.” – This is why you never, ever store patient information on any type of physical media be it hard drive, CD, flash drive, etc. This is also why storage of patient information on the cloud should be considered.

This is funny.

Pharmcotherapy : “The genetic study of disease states can be the stepping stones for thoroughly understanding the genetic basis of ADEs. Gene polymorphisms are implicated in the development of diseases and corresponding disease-like ADEs.” – Pharmacogenetics, the study of genetic variation on the effects of drug, has been around for several years now, but has never really taken hold like many thought it would. The idea behind genetic testing to determine how you will respond to medications makes sense, but I don’t see it in practice. I wonder why?

The Palmdoc Chronicles: “VisualDx Mobile for the iPhone and iPod Touch aids physicians in their decision making efforts by increasing diagnostic accuracy, helping to reduce health care costs associated with unnecessary return visits, referrals, and tests– all of which increase patient satisfaction.” – Clinical decision support for the iPhone/iPod touch.

Endgadget: “Researchers aim to give surgeons 3D maps, directions of human body – the group’s TLEMsafe system does provide surgeons with a complete 3D map of the lower body, which can actually be personalized for each individual patient, giving surgeons a reference and means to practice before any actual surgery takes place — and, yes, even an “automated navigation system” during surgery.” – Pretty cool stuff.

LiveScience: “Researchers have built a new super-small “nanodragster” that improves on prior nanocar designs and could speed up efforts to craft molecular machines.” – This is amazing, The nanodragster is built using a combination of phyenylene-ethynylene molecules for the chassis and buckyball wheels. Cool!

medGadget: “To see if clinical measurements can be performed using a cheaper solution, researchers at University of Melbourne tested Nintendo’s Wii Balance Board (WBB) against a laboratory-grade force platform (FP), and concluded that the cheaper option can provide results “suitable for the clinical setting” – So having a Wii is totally worth it, right?

ASHP: “Health care facilities can expect the Environmental Protection Agency (EPA) by October to release a set of best practices for managing excess, expired, and unwanted pharmaceuticals.” – What to do with these medications has always been an issue.

LA Times: “Unfortunately, even great stories have their endings, and the chapter on Warner’s NFL career closed today when the 38-year-old quarterback announced his retirement.” – I’m disappointed for my team, but happy for Warner. The man is a class act and a lock for the Hall of Fame. Check out his stats sometime. They are impressive. Kurt Warner is one of the few professional football players that I would like to meet in person. Perhaps I’ll get the opportunity some day. Good luck Kurt.

– I went 1-1 last weekend, bringing my playoff record to 7-3. The Vikings game was one of those rare moments in the NFL where the better team lost. Even with all the Vikings turnovers and bad penalty calls, they were only one play away from a trip to Miami for the Super Bowl. I was really hoping the Vikings could pull it off, but it wasn’t meant to be. My hat goes off to the Saints for hanging staying in the game. Now I hope Favre retires and enjoys being one of the greatest quarterbacks to have ever played the game.

– I’ll give you my Super Bowl pick next week.

Have a great weekend everyone.

Self destructing data for the cloud

One of the most frequently cited reasons for not utilizing cloud based storage is security. While the self-destructing data solution described below wouldn’t work for healthcare secondary to the need to archive information for long periods of time, it would certainly work for any personal data sent or received over the internet. The ability to put a time-bomb in a document is appealing. Read on to find out more.
Continue reading Self destructing data for the cloud

Call to slow down EMR development for better security.

HIT Consultant Blog: “The law [HITECH, the law gives incentives to healthcare organizations to digitize personal health information before 2020], which also updates parts of HIPAA, gives the Secretary of Health and Human Services until mid-August to define what constitutes an electronic medical record. In Schmidt’s view initial requirements should start with strong authentication and encryption, and so far, the Secretary has done just that. Citing existing NIST and FIPS standards, HHS guidance includes healthcare data at rest, data in motion, as well as the proper destruction of Protected Health Information. Unfortunately, some health practitioners have begun purchasing e-health systems before the full complement of standards is known.” – No matter how you slice it, security is always going to be a problem. Even now, security is a primary concern for any healthcare facility in the United States. As you expand outside the walls of your existing system it is only going to get worse. I agree that practitioners should slow down and wait until some of this gets worked out. There’s nothing worse than investing in a system that has to be scrapped secondary to jumping the gun.