The data were on the physician’s external hard drive, officials said. Though the hard drive was encrypted, a piece of paper with the password was nearby and is also missing. The physician notified UCLA the next day and officials began identifying patients affected.”

I am continuously amazed at the number of security breaches involving patient healthcare information caused by careless use of portable storage media like external hard drives, flash drives, and even laptop hard drives. Patient information should never be stored or transported this way. I believe that utilizing cloud computing with simple browser access is a much better solution. 

What makes this particular incident so bad is the cause; reckless behavior by a physician. This wasn’t UCLA’s fault, per se. Sure, the medical center must accept a share of the responsibility, the lion’s share of the blame falls in the lap of the physician. Not only did the physician have sensitive patient information on an external hard drive, but was dumb enough to have the password to access the drive on a piece of paper next to it. Kind of defeats the purpose of encryption and passwords, doesn’t it.

For an eye-opening look at the magnitude of data loss and security breaches drop by DataLossDB.org sometime. It’s scary stuff.

• 80% were concerned with stolen personal information
• 64% were concerned with lost, damaged or corrupted files
• 62% were concerned with the misuse of information”

I’m not surprised by the numbers. In general people are afraid of change and the unknown. With that said, I think all you need to do is walk a patient through the paper processes that we use now to give them some insight into how bad things really are. Stolen and lost personal and medical information is a major problem within the current healthcare system. It’s not uncommon in any given week to hear about patient records that have been lost or stolen. And as far as misuse of information, well lets just say that’s all too common as well.

The advantages to an EHR outweigh the concerns listed above. Just sayin’.

The Walk-Away technology was impressive. As long as a user was standing in front of the computer camera they remained logged in. However, as soon as the user turned to walk away they were immediately logged out of their session. This is a significant step forward in managing those unattended workstations that one often finds throughout the hospital.

From the Imprivata website: “OneSign Secure Walk-Away closes a critical security gap in the protection of confidential information assets by automating the process of securing the desktop when a user ‘walks away’. Once a user has securely authenticated to the desktop using OneSign Authentication Management, OneSign Secure Walk-Away uses a combination of computer vision, active presence detection, and user tracking technologies to identify an authenticated user and automatically lock the desktop upon their departure.”

You can read more about the system here (PDF). Try as I might I could not find a video demonstration of the Walk-Away system; too bad really as the system has to be seen to be appreciated. I’m not a big fan of single sign-on systems (SSO) in general for various reasons, but I’m willing to reconsider my position when SSO is used in combination with biometric identification, voice recognition or facial recognition technology. It’s just too cool to ignore.

In the article a pediatrician that is also director of clinical informatics for Atrius Health is quoted as saying “At the moment I’m not convinced that there’s a secure enough place in the cloud or that the functionality exists for us to do everything that we need to do in the cloud. The cloud allows for a tremendous amount of interconnectivity between computers because it’s using data storage that’s free amongst different networks and I wouldn’t want healthcare information being scattered in a way that I couldn’t protect it appropriately.” I’m not sure I understand the perceived insecurity of the cloud as the existing infrastructure for storing patient information in healthcare is, by design, insecure.

I don’t think most of the fear swirling around the cloud is necessarily associated with the physical security of the servers or the lack of encryption, but rather the regulation attached to healthcare. Everyone wants to know that information is safe and they don’t want to get dinged by one of the regulatory agencies. Everyone is worried about being HIPAA compliant along with the fines associated with the HITECH Act for breaches of patient information. I can’t guarantee that every cloud provider meets HIPAA regulatory compliance, but that’s why you have a sit down with the cloud provider and understand what you’re getting yourself into before you jump in head first.

However, consider the results of a recent survey conducted by New London Consulting and FairWarning in which nearly one-third of survey respondents stated that their organizations were not currently in compliance with or feel that they will be in compliance with the HITECH requirements. How is that a good thing?

On the other hand, it’s in a cloud service provider’s best interest to be in full compliance with state and federal laws if they plan on staying in business. This could be a win-win, especially for healthcare systems that need someone to help control their data.

Based on available cloud models one could argue that data is more secure in the cloud than it is with many “in-house” systems. Cloud service applications are developed with cloud platforms in mind and use a common security model. Cloud providers tend to be aware of technology and security trends before the typical end-user. In other words, they pay more attention to issues such as physical security, access controls and perceived threats. It’s what they do, people.

Many consider data control and security in the current healthcare model a myth. It consists of data located in various places split among computerized storage and paper files. Do you really think this is a safe, secure and efficient way of storing healthcare information? A more important consideration might be whether or not the people arguing against cloud storage models understand the current state of healthcare data integrity.

Many people in various locations need access to healthcare information. In the current healthcare model this results in duplicate information found in paper charts stored by the thousands. It’s not uncommon to find these files lying around in various places like nursing units, physicians desks, etc. Don’t even get me started on what can happen when a hard copy of a record gets lost in transit to another location. And let’s not forget that some facilities may not have a readily available backup of these paper records.

Unfortunately, the problem with data integrity and security isn’t limited to paper records. Electronic records inside facilities are at risk as well. Medical records are accessed by many people for lots of legitimate reasons, but what happens when a physician or other healthcare provider walks through your door with a flash drive, an external hard drive, or even a laptop with patient data on it? That’s a walking HIPAA nightmare.

Laptops are everywhere and some physicians use them to transport patient data back and forth. In addition, laptops remain a mainstay for home health nurses and hospice care outside the hospital. They are both an indispensable tool and a tremendous security risk for healthcare institutions. If you don’t believe me just do a cursory online search for “lost laptop with healthcare data” and see what pops up. You’ll be shocked and horrified by what you read.

Information from a 2009 report by the Ponemon Institute indicated that Approximately 10,000 laptops go missing in airports every week. Some get recovered, but many don’t. The loss of these laptops is not only a security breach when they contain sensitive healthcare data, but they create a financial burden as well. It’s not just the cost of replacing the hardware itself, which we know is cheap, but the cost of detection, forensics, the loss of productivity and the possible fines associated with the data breach.

According to the Ponemon report, the average value of a lost laptop for all industries is $49,246. That’s a bargain when compared to healthcare where it’s actually around $67,873. Sure you can encrypt the data and take steps to minimize data breaches on these stolen or lost devices, but doesn’t it make more sense to simply avoid it all together? I think so.

A cloud model means that your information doesn’t need to be moved around and it doesn’t need to be copied or transferred from one system to another because the end user has the information available to them at any time from any device with internet connectivity. Pick your device: smartphone, laptop, iPad, it doesn’t make any difference as long as the device is web enabled and can see the information in the cloud.

Regardless of the situation – pharmacy needs information about a patient’s allergies or a patient gets admitted to the hospital and you need the old chart or you’re a physician on call that needs to know what a patient is taking or what their most recent labs are – as long as you have web access you can see that information. With the increasing availability of wireless connectivity it’s only a matter of time before having access at anytime from anywhere won’t be a slogan, but a reality. In addition the information remains safe because it’s not stored locally on the device. You’re simply using the device as a window to view the data.

A 2009 report on “Cloud Computing: Benefits, risks and recommendations for information security” by the European Network and Information Security Agency actually took an independent look at the technical and legal aspects associated with the issues of ‘cyber security’ and determined that “The scale and flexibility of cloud computing gives the providers a security edge.” Their reason for making such a bold statement was that they felt that service providers had the flexibility to instantly correct security issues, apply patches or implement additional security features if necessary.

Regardless of current feelings toward cloud computing, it is apparent to me that the consumer market is driving adoption. The InformationWeek article goes on to say “Nevertheless, last month two major announcements may have been the clearest indication yet that vendors believe there is promise in offering cloud computing to healthcare delivery organizations, especially among small and medium-size physician practices. In June, GE Healthcare introduced Centricity Advance, a new Web-based, SaaS platform that offers a combination of EMR, practice management, and patient portal solutions for small, independent physician practices. Last month also saw Dell announce a partnership with SaaS provider Practice Fusion to offer an electronic medical record package for small and medium-size medical practices.” We’re headed toward the cloud whether we like it or not. The market will eventually force healthcare to adopt the model, and being forced into something is never a good thing. While I believe in improving and optimizing existing systems, I also believe it’s important to explore future technology and decide where you want to be. Just a thought.

- What’s that? Oh, Avatar is still #1 at the box office. It’s now #2 on the list of top grossing movies of all time with its crosshairs squarely set on #1.

- KevinMD: “But when this health-care reform package passes, and if it does to the economy and to medical practice what many of us fear, will anyone be accountable? Will they step up and say, ‘yep, that was me! Sorry, I’ll try to fix it!’ It’s unlikely. That’s not how politics are conducted.” – Scary thought

- The Apple iPad was announced this week. It’s basically a giant iPod Touch. It isn’t available for purchase yet, but is already creating quite a buzz in heath care. Every card carrying clinician is claiming the iPad is going to revolutionize how they practice health care. I’m looking forward to getting my hands on one and spending some quality time figuring out how best to use it, but I’m a little gun shy about making claims like that.

- You can find positive blog posts on the iPad everywhere, so here a couple of negatives to help balance it out: interesting view from a 16-year old boy and another from VentureBeat and one final one from GottaBeMobile.

- Hitler responds to the iPad. I find these “Hitler” videos very funny. Be warned, however, they contain some offensive language.

- Here’s a tablet PC survey aimed at health care spurred on by the arrival of the iPad.

- Healthcare IT Consultant Blog: “Medical records for about 4,400 UCSF patients are at risk after thieves stole a laptop from a medical school employee in November, UCSF officials said Wednesday. The laptop … stolen on or about Nov. 30 … was found in Southern California on Jan. 8. There is no indication that unauthorized access to the files or the laptop actually took place, UCSF officials said, but patients’ names, medical record numbers, ages and clinical information were potentially exposed.” – This is why you never, ever store patient information on any type of physical media be it hard drive, CD, flash drive, etc. This is also why storage of patient information on the cloud should be considered.

- This is funny.

- Pharmcotherapy : “The genetic study of disease states can be the stepping stones for thoroughly understanding the genetic basis of ADEs. Gene polymorphisms are implicated in the development of diseases and corresponding disease-like ADEs.” – Pharmacogenetics, the study of genetic variation on the effects of drug, has been around for several years now, but has never really taken hold like many thought it would. The idea behind genetic testing to determine how you will respond to medications makes sense, but I don’t see it in practice. I wonder why?

- The Palmdoc Chronicles: “VisualDx Mobile for the iPhone and iPod Touch aids physicians in their decision making efforts by increasing diagnostic accuracy, helping to reduce health care costs associated with unnecessary return visits, referrals, and tests– all of which increase patient satisfaction.” – Clinical decision support for the iPhone/iPod touch.

Endgadget: “Researchers aim to give surgeons 3D maps, directions of human body – the group’s TLEMsafe system does provide surgeons with a complete 3D map of the lower body, which can actually be personalized for each individual patient, giving surgeons a reference and means to practice before any actual surgery takes place — and, yes, even an “automated navigation system” during surgery.” – Pretty cool stuff.

- LiveScience: “Researchers have built a new super-small “nanodragster” that improves on prior nanocar designs and could speed up efforts to craft molecular machines.” – This is amazing, The nanodragster is built using a combination of phyenylene-ethynylene molecules for the chassis and buckyball wheels. Cool!

- medGadget: “To see if clinical measurements can be performed using a cheaper solution, researchers at University of Melbourne tested Nintendo’s Wii Balance Board (WBB) against a laboratory-grade force platform (FP), and concluded that the cheaper option can provide results “suitable for the clinical setting” – So having a Wii is totally worth it, right?

- ASHP: “Health care facilities can expect the Environmental Protection Agency (EPA) by October to release a set of best practices for managing excess, expired, and unwanted pharmaceuticals.” – What to do with these medications has always been an issue.

- LA Times: “Unfortunately, even great stories have their endings, and the chapter on Warner’s NFL career closed today when the 38-year-old quarterback announced his retirement.” – I’m disappointed for my team, but happy for Warner. The man is a class act and a lock for the Hall of Fame. Check out his stats sometime. They are impressive. Kurt Warner is one of the few professional football players that I would like to meet in person. Perhaps I’ll get the opportunity some day. Good luck Kurt.

- I went 1-1 last weekend, bringing my playoff record to 7-3. The Vikings game was one of those rare moments in the NFL where the better team lost. Even with all the Vikings turnovers and bad penalty calls, they were only one play away from a trip to Miami for the Super Bowl. I was really hoping the Vikings could pull it off, but it wasn’t meant to be. My hat goes off to the Saints for hanging staying in the game. Now I hope Favre retires and enjoys being one of the greatest quarterbacks to have ever played the game.

- I’ll give you my Super Bowl pick next week.

Have a great weekend everyone.

Vanish is a research system designed to give users control over the lifetime of personal data stored on the web or in the cloud. Specifically, all copies of Vanish encrypted data — even archived or cached copies — will become permanently unreadable at a specific time, without any action on the part of the user or any third party or centralized service.

For example, using the Firefox Vanish plugin, a user can create an email, a Google Doc document, a Facebook message, or a blog comment — specifying that the document or message should “vanish” in 8 hours. Before that 8-hour timeout expires, anyone who has access to the data can read it; however after that timer expires, nobody can read that web content — not the user, not Google, not Facebook, not a hacker who breaks into the cloud service, and not even someone who obtains a warrant for that data. That data — regardless of where stored or archived prior to the timeout — simply self-destructs and becomes permanently unreadable.