Friday, August 25, 2006

Drive my Car

From the Detroit News comes yet another example of the risks of treating PHI like the photos of your vacation, and allowing users to carry it around on portable devices:

It's ironic that while parents can't gain access to the medical records of college-age children still living under their roof, a laptop computer containing the medical histories of more than 28,000 Michigan residents was missing for days in Metro Detroit.

The laptop was assigned to a Beaumont Hospital home care nurse, and was stolen from her unlocked and running car when she stopped in Detroit for a restroom break. Fortunately, it has been recovered with the data apparently untapped.

The stupidity of the nurse is beyond belief. But even more unbelievable is that Beaumont or any other hospital would be so careless with the private medical records of its customers.

In the end, stupid stuff like this comes back to us. We must have systems in place that make it easy for the users to do their jobs, while at the same time make it difficult for them to drive around with thousands of records in the back seat of their car. The administrators failed in three places on this one. They failed to train the user correctly, they failed to put systems in place to limit the availablity of PHI, and they failed to secure the data itself.

And from the Detroit Free Press comes these additional details:

The security lapse, disclosed Tuesday by Beaumont officials in Troy, is not an isolated occurrence in these days of portable technology and information sharing, but it underscores the need for greater enforcement of laws intended to protect patients' privacy, advocates said.

Beaumont Hospital officials said the laptop, which contained Social Security numbers and medical information, was stolen earlier this month from the car of a home care nurse. They said the nurse broke hospital policy by leaving her access code and password with the computer.

There are a number of reasons why a user leaves their password written down--- poor training, too-complex passwords, simple idiocy. While the human capacity for the last seems infinite, it can many times be circumvented by proper application of the first, and avoidance of the second

No comments: