A little
more than thirty days ago, a statistician at the Palm Beach Department of
Health accidentally sent out an internal email containing a list with the names
of more than 6,000 local residents with HIV and AIDS. Officials immediately shut down and scrubbed
the county network. Relieved supervisors
praised the rapid response of the county IT department, which
was able to eliminate all of the offending emails within 10 minutes. A lot of
people – including me – wondered how they could be so sure the problem had been
solved that easily.
A month
later it looks as though somebody has gotten their hands on the list. One by one, mysterious letters have begun turning up at
the homes of people with HIV/AIDS across Florida. Not surprisingly, many of those people are
upset and quite understandably concerned that the information could travel further.
The director of the Palm Beach County health department calls the
incident “medical terrorism” and says the letters remind her of the 2001 anthrax
attacks. That may well be a little
strong.
Like the
Kaiser Permanente story, the Palm Beach debacle has been
largely ignored by the media in the early going. The issues the incident raises, however, are very
similar. How safe are patient medical records, really? What use are expensive network security
systems when human error can easily bypass their defenses? If recent trends are any indication, these
cases are only the tip of the iceberg. That
should be very worrying.
HIPAA was designed, at least in part, to prevent this kind of problem. The real
question at this point seems to be how effective is it really going to be at doing its job? A little over a month from now, we’ll have a
very good idea.
County health officials in Palm Beach are arguing – in
the way officials often do – that last month’s email incident and this latest
problem are a complete coincidence. That
boggles the imagination. Such coincidences just don’t happen. The
story itself
is made a little more interesting by the fact that the letters do not
appear to
be at all threatening. The problem is that they reveal information they
shouldn’t. Whoever is sending them appears to be motivated by a desire
to reach to the HIV/AIDS community and to simply have not thought
through his or her plan
very well. This is one to follow.
Categories: Uncategorized
Personal Health Records allows patient to provide doctors with valuable health information that can help improve the quality of care that patient receives. Personal Health Records can help to reduce or eliminate duplicate tests and allow you to receive faster, safer treatment and care in an emergency and helps to play a more active role in yours and your loved ones’ healthcare.
So… why hasn’t anyone tried to contact the person sending the letters? What content do the letters contain? The article says that the letters are not threatening, and merely constitute an outreach attempt — did someone manage to buy a list of local HIV/AIDS diagnosees? This could indicate, it seems to me, that the list passed out of the hands of one of the people involved and into the hands of someone buying lists. Indeed, it might /not/ be related to this incidence. … But one should hope that Hipaa compliance would be stronger than that. In my experience with medical personell even before Hipaa, patient information was a sacred untouchable thing.
Good point Newbie Wonk! That’s precisely the point I’m arguing in my post. I’m not saying these questions need to be studied; as you point out, they already have been.
But not many people in the world at large are aware of that fact, because not very many people know much about the issues involved. Which means the issue will be brought up again. And again. And again …
Three months from now, I think it safe to guess that we’ll be hearing the same questions asked in Washington and in the media after another one of these leaks. And we all know what that could mean: more legislation!!!
“How safe are patient medical records, really? What use are expensive network security systems when human error can easily bypass their defenses?”
Patient medical records are at best, minimally safe. Computer security (and non-computer real world physical security) needs to be process driven, not product driven. It doesn’t matter if you use the world’s greatest firewall or the most secure encryption algorithm. If someone writes down their password, or an insider wishes to steal information, or if someone simply isn’t trained in security procedures, then the party’s over…security is compromised.
The idea cited above (about computer security being process driven) comes from Bruce Schneier. If you’re not acquainted with his work, I HIGHLY recommend two of his books, “Secrets & Lies” and “Beyond Fear.” Schneier is a mathematician and computer security guru. His writing is engaging, easy for the lay person to understand, and relevant to all areas of security. You’ll be a much better analyst of the healthcare IT arena once you read his books.
http://www.amazon.com/exec/obidos/tg/detail/-/0387026207/qid=1112256977/sr=8-1/ref=pd_csp_1/103-6749513-7165443?v=glance&s=books&n=507846
You can also subscribe to a free monthly security newsletter called “Cryptogram” available through his web site: http://www.schneier.com.
If I were a spokesman for the county I’d say you’re making a post hoc ergo propter hoc argument, but that would be spin. The coincidence is too great.