Friday, October 16, 2009

Data Malpractice on T-Mobile Sidekick: But Don't Worry, Your Medical Data is Safe

One of the promises made about healthcare IT is that your medical data is "safer" in electronic form than in paper form. The Hurricane Katrina example of paper records being destroyed is often used as a poster example of the dangers of paper records.

However, the risk of electronic storage of information, especially the talk of national EMR's stored on the "cloud" (an amorphous term meaning distributed storage "out there" whose physical sites and boundaries are supposedly irrelevant from the user's perspective) has also been under-reported. Excluding frequent reports of data confidentiality breaches, we also have this:

Wall Street Journal, Oct. 15, 2009
Microsoft Recovers Lost Sidekick Data

Microsoft Corp. said Thursday that it has been able to recover the personal customer data lost from many of T-Mobile USA's Sidekick devices.

The Redmond, Wash., software giant said that most, if not all, customer data was recovered, and that the company would begin restoring data as soon as it has validated it. The company said it will start with personal contacts, and move on to the lost calendar, notes, tasks and pictures as quickly as possible.

The fix comes as Microsoft suffers through a public backlash after mishandling the information found on the Sidekick line of messaging phones, which are popular with teenagers ... Over the weekend, T-Mobile and Microsoft initially warned that the recovery of data would be unlikely, but upgraded their prospects on Tuesday.

They got lucky.

Microsoft blamed a system failure [i.e., an IT system - ed.] for the data loss in the core database and backup system. Microsoft said it had taken steps to strengthen the stability of the Sidekick service and started a more resilient backup process. [More resilient compared to ... what? - ed.]

In IT it's always an apersonal "system failure", not "data malpractice." When medical malpractice occurs, it's the doctor's fault, even if that malpractice occurred secondary to the failure or misdesign of an EMR or other clinical IT by dyscompetent software engineers. When data malpractice occurs, the motto is "We always blame the computer." How about some names of those responsible for this debacle?

... The Sidekick service, run by Microsoft unit Danger [talk about ironic names - ed.], is supposed to be more secure in storing data because it is kept in the "cloud," which involves storing information on the Internet and not one physically vulnerable location, making the temporary loss of data striking.

"Cloud" is a new buzzword du jour to make more appealing a basically bad idea for many fields. Distributing data also distributes risk that some incompetent or careless person or person(s) will cause data corruption or loss (yes, computers are run by people, and either they're in control of their systems, or their systems are in control of them). It also puts organizations storing data on the "internet cloud" at risk of being victims of a network "rainy day" when internet connections might prove unreliable (accidents, sabotage, natural disasters all come to mind).

In healthcare, using the "cloud" for data storage seems to be a bad idea, especially in an era of $99 (retail) terabyte hard drive storage, and corresponding economies in mission critical-grade local mass storage, backup, business continuity and disaster recovery capabilities.

In summary, is electronic medical data more secure when stored electronically than on paper? Only if the underlying CIO's, information stewards, technicians and system administrators are at least as competent and careful as the trained health information management (HIM) personnel in hospital medical records departments and doctors' offices.

Time will tell if that is the case. One mistake, and thousands or millions of records can go *POOF*.

Microsoft and T-Mobile were lucky ... this time.

-- SS

10/26 addendum:

Sometimes, EHR data simply disappears too. At this link is a story of a Canadian clinic that lost two years of electronic health records:

Clinic's medical files vanish

By Ryan Cormier, Edmonton Journal

October 21, 2009

During a recent investigation into whether a patient's confidentiality had been breached at the Fairview Medical Clinic, an investigator asked for a log of who had accessed the complainant's file. When the clinic responded that it had automated his records in 2004 but only had files from 2006 on, alarm bells rang.

"That raised a lot of questions," said Leahann McElveen, an investigator with the office of the information and privacy commissioner.

The clinic had permanently lost two years worth of health files that include patient information on visits, prescriptions, lab reports, doctor's notes and other information. The loss happened when the clinic switched from one electronic medical records system to another.

"They were two similar systems intended to do the same thing," McElveen said. "However, they weren't coded the same way behind the scenes. It's not that the records fall into the wrong hands, they just don't exist anymore."

*POOF* again.

-- SS

No comments: