Thursday, January 26, 2006

Health IT mismanagement strikes again

I post this article without commentary other than the title above, and a question: was this method of IT "disaster recovery" (using your own employee's cars and homes as backup repositories) done to save a few dollars? I worked at one time for the Comdisco Healthcare Group. One of Comdisco, Inc.'s specialty areas was disaster recovery/business continuity services. Those services were costly.

I've seen financial issues cause conventional desktop computers to be hung from the ceilings of small ICU rooms, instead of industrial clean-room-quality machines, and conventional keyboards and mice to be used, despite the risks of spreading infection. So anything is possible.

-- SS

365,000 lose health files to thief

Critics question safeguards after a car burglar steals the records of home services patients

Thursday, January 26, 2006
JOE ROJAS-BURKE and JOSEPH ROSE
The Oregonian


Medical privacy advocates expressed horror over Providence Health System's revelation Wednesday that a car thief had walked away with the medical records of 365,000 patients across Oregon and Washington.

The thief who smashed the window of a Plymouth Voyager parked outside a Milwaukie home last month seized a trove of records containing names, addresses, Social Security numbers and intimate health information from patients receiving home services from Providence. Records of Providence hospital or clinic patients were not stolen.

The records, some dating to 1987, were stored on computer disks and digital tape that a Providence employee took home and left in his car overnight. Providence officials said certain employees routinely took home records to provide readily available backup.

... medical records contain information that employers, insurers and others could use to unfairly exclude people with health problems. Disclosures, they say, also could humiliate them.

With no leads in the case, the Clackamas County Sheriff's Office has suspended its investigation. The likelihood that criminals will exploit the information is difficult to calculate.

... Driveway break-in

Steve Shields, a Providence information systems analyst, reported the theft about 10:30 a.m. Dec. 31, according to a sheriff's office report. Shields' van was parked in his driveway ... The thief took a laptop computer bag containing 10 computer disks and data tapes but no computer. "Nothing else was taken," said Detective Wendi Babst, a sheriff's spokeswoman.

Shields, who declined to comment when contacted at Providence on Wednesday, told authorities that the disks contained confidential information, including Social Security numbers and medical information, for thousands of people. At the time, he told Tomas Solano, a sheriff's community service officer who took the report, that the information on the disks was "highly encrypted" and almost impossible to retrieve.

"I advised him that although he feels it is unlikely that the information can be obtained, he should still send a letter or contact anyone that could have information compromised," Solano wrote.

On Wednesday, a Providence spokesman said the records were not encrypted.

... Upon Wednesday's announcement, critics immediately questioned the practice of sending records to employees' homes.

"What were they thinking? Did they not have a data-security person tell them this is not a good plan?" said Lillie Coney, associate director of the Electronic Privacy Information Center, an advocacy group in Washington, D.C.

Cagen said Providence asked certain managers or supervisors to take home backup information on home services patients, and not others, in case a patient emergency and a major failure of the division's main records system coincided.

"The intention was to protect the patients and the vulnerabilty of that data," Cagen said. "What we didn't do was evaluate the practice of taking it home. That's where we fell short
."

I would agree with that last assessment.

-- SS

No comments: