Wednesday, August 28, 2013

Calling Dr. Moe, Dr. Larry and Dr. Curly: Advocate Medical Breach of Four Million Patient Records, and No Encryption

At my Oct. 2011 post "Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure" (http://hcrenewal.blogspot.com/2011/10/still-more-ehr-chaos-pandemonium-bedlam.html) I thought I'd seen the worst.

Yet another post to add to the category of medical record privacy/confidentiality/security (http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy), however:

Advocate Medical Breach: No Encryption?
Computer Theft Raises Questions About Unencrypted Devices
By Marianne Kolbasuk McGee, August 27, 2013.

The recent theft of four unencrypted desktop computers from a Chicago area physician group practice may result in the second biggest healthcare breach ever reported to federal regulators. But the bigger issue is: Why do breaches involving unencrypted computer devices still occur?

According to the Department of Health and Human Services' "wall of shame" website listing 646 breaches impacting 500 or more individuals since September 2009, more than half of the incidents involved lost or stolen unencrypted devices. Incidents involving data secured by encryption do not have to be reported to HHS.

... The four unencrypted but password-protected computers [passwords on PC's are bypassable by smart teenagers - ed.] stolen during a burglary in July from an office of Advocate Medical Group in Illinois may have exposed information of about 4 million patients, according to an Advocate spokesman.

4 million is about 1.3 percent of the entire U.S. population (about 313.9 million in 2012) ... on just four desktop computers.

Try that with paper ...

As to the subtitle of the article, "Computer Theft Raises Questions About Unencrypted Devices", I've written on that issue before.  I'd noted questions like that are remarkable considering both MacOS and Windows have built-in, readily available encryption, the latter for a few extra $ for the "deluxe version" (see  http://en.wikipedia.org/wiki/FileVault and http://en.wikipedia.org/wiki/Bitlocker).  

Perhaps the best explanation in 2013 for unencrypted desktop PC's containing millions of confidential medical records is this picture, symbolic of the apparent attitudes of corporate and IT management on health IT security:


Encryption?  We don't need no encryption.  We got triple protection already!


-- SS

2 comments:

Roy M. Poses MD said...

Note that the Advocate Health Care CEO was on the list (here: http://www.modernhealthcare.com/article/20130824/INFO/130829987/100-most-influential-people-in-healthcare-2013-text-list ) of most influential people in health care (see this post: http://hcrenewal.blogspot.com/2013/08/what-sorts-of-people-are-most.html ).

So I ask again: is the person who ought to be held accountable for the situation described by InformaticsMD above the sort of person who ought to be so influential in US health care?

Anonymous said...

One of the more interesting things is that the NIH and FDA mandate software that requires older versions of software now out of support. No security fixes, no updates, nothing available.