Monday, September 20, 2010

Data Breaches - Who Really Loses

It's unfortunate that when a data breach happens the real losers are those who have no stake in the matter whatsoever.  In fact, the real losers in a case like that of the Lucile Salter Packard Children's Hospital at Stanford University are likely patients who have had nothing to do with this data breach.

When information is lost, the first thought often is to fine, fine, and fine again these institutions we find to be negligent in either securing their patient's data, or reporting the breaches.  The problem comes in when the fines actually start hitting, and you come to realize who's really paying them.  I'm all for levying large fines against institutions who neglectfully lose my patient health records, but is it really in my interest to fine the institution large sums when the costs will most likely simply be passed along back to me as the patient?

Think about it.  Really think about who's paying the costs for the fines being levied against hospitals, doctors and other practices when patient data walks out the door with a computer like in this case.  This $250,000.00 fine isn't coming out of the hospital administrator's salary.  It's probably not coming out of the pool of money that gets paid to the hospital's top administrative team as a yearly performance bonus.  Nope, it likely gets absorbed as an operating cost, and passed on either through higher rates or some other crap to the patients that end up there looking for care.

Let's forget the Lucile Packard Hospital case and take any particular medical establishment that has data breach issues.  As yourself who makes the decisions to skimp on security and then who gets to face the media when it comes to being the scapegoat.  It's interesting that I've never seen a clause that comes with these types of fines that says something to the effect of "fine must be paid out of hospital administrator's salary" or something like that.  Of course, it'll never happen with the amount of money the medical industry spends lobbying our dear members of the government...

By the way, let's go back to this Children's Hospital for a second.  If you read the article I reference you could almost be convinced the hospital did everything right, including launch its own investigation and determine that the patient information was in no way compromised, etc, etc, etc ...(wait ...what?).  The incident centers around an employee who used a computer which had access to patient information (so the data access is computer-based, not user-based ...interesting access model, wouldn't you say?), and was allowed to walk off premises with the computer (how does something like this happen, in real life?)... and they're surprised that the computer was not recoverable?!

There are two stellar quotes in this article I referenced... one from Susan Flanaga, RN, COO, which reads
"The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today."
I chuckled when I read that.  These supposed advanced safeguards couldn't prevent a person who shouldn't walk out with a computer from taking it home with them?  The other awesome quote is this one:
"Even though the investigation revealed that no patients were harmed and apparently no patient information was compromised..."
Wait did he [Ed Kopetsky, the CIO] determine that?  Since they could not recover the computer, how exactly did they know that none of the information was compromised?  Isn't that the whole point?

I'm sure they could have been using full-disk encryption, combined with software that prevented the machine from booting off-site, combined with an automatic-self-destruction program ... but then the story would have been much less exciting and the fine probably wouldn't have happened.  Right?

Oh well, I guess the costs get passed onto the patients, they throw on another "agent" to every one of the machines or have every employee sign yet another affidavit saying they won't steal data and life goes on...

1 comment:

Anonymous said...

Clearly, organizations must understand that incidents of data breach such as that at Children’s hospital can lead to customer migration to competitors and loss of business reputation. Organizations must have access control policy and user monitoring mechanism in place to restrict access to systems containing sensitive information. The IT department must create awareness among employees on threats in the IT environment and the importance of information security for successful business operations.