Schneier on Security
A blog covering security and security technology.
« More Behavioral Profiling |
| Merchants Not Storing Credit Card Data »
October 15, 2007
27 Suspended for Looking at George Clooney's Personal Data
It's nice to see the Palisades Medical Center take this kind of action. I wish places would do the same when the personal data of non-celebrities is exposed.
Posted on October 15, 2007 at 11:11 AM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The problem is that often there is no knowledge by the person that their record has been looked at without the appropriate permisions etc.
In the U.K. they have run out a newish system (RiO) that just gives a couple of warning messages (about auditing) but still lets anybody in to the records. All in all it is fairly pointless security, which is why quite a few clinicians effectivly boycott the system by entering only minimal information (like time of next apointment) and nothing else.
What is needed is well structured security and the ability for a patient to see exactly who has seen their records and when whenever they wish to. As well as a mandatory reporting procedure for unauthorised access at all levels (including the Health Ministers and their cronies).
In Clooney's case, it helps that he's well-liked by the public and has gobs of money, so that he would win any lawsuit.
As for the rest of it, they win, we lose, so let's get used to it.
The commenters show ignorance of HIPAA. First, it is not the patient that detects violations. It is the healthcare providers job. In this case, the provider was auditing access to the data and did detect inappropriate accesses. (Almost all HIPAA enforcement is audit based because it is unsafe to require a visit to the security office for access authorization before responding to a patient emergency. Instead you monitor, audit, and penalize inappropriate behavior. Medical staff usually have enough self control to behave themselves.)
Second, enforcement is not through patient lawsuits. It is via regulation. The expectation is that the employer will take appropriate action without requiring regulatory action.
This case is good news, and it is good that it is getting publicity. It is not unique, but an employee suspension for looking at their neighbors medical record won't even make the local news. So you do not see news of the usual infractions and their punishment. There remain plenty of lazy hospitals that take the least effort path to enforcement (e.g., none), but there are also good ones. News like this encourages the good ones.
Have you seen this yet?
Oh dear. So votes are transmitted via quantum cryptography, meaning they might be lost if somebody tampers with them, depending on the system. People might still read what's in them, provided the votes aren't anonymized beforehand that'd be painful. And they're still not safe from being tampered with on the machine...
Suspension is *not enough*. Besides violating the law, this indicates that they would do it again if they thought they would not get caught. If this is true, they should be FIRED and have their licenses reviewed for possible cancellation.
Imagine if it was gerbil-extraction surgery. Is it anyone's business (besides the patient, his/her care team, and the rodent) what happened?
First rule should be gather the absolute minimum of information necessary and retain it only as long as necessary. This does not allow for "repurposing", but that should require separate collection and informed consent anyway.
Second rule should be that all information about a patient is his or her property and therefore, that patient must approve every access or use of that information (other than collecting payment for services rendered) and has an absolute right to see at any time who has accessed such information and for what purpose.
Third rule should be that management is responsible for ensuring that proper access controls are in place and functioning. A kind of Sarbanes-Oxley for medical data.
A couple of anecdotal data points:
- I know a nurse who works at a Los Angeles hospital that frequently has famous patients. She says that the nurses are very aware of HIPPA, and apply it to non-famous patients as well. Out of over-caution, sometimes they deny legitimate requests for information by family or even the patients themselves.
- I knew a worker at a health insurance brokerage that sold insurance to small and medium sized companies and acted as the go-between for the carriers and the client's HR managers.
The brokerage workers have heard of HIPPA. They know enough not to give out private information to a caller without ID verification. And *sometimes* they bother to password-protect emails containing name/SSN/dob or medical information. But they don't use paper shredders. They don't encrypt their disks or backups. Their WiFi isn't secure. They have absolutely no sense of urgency, caution, fear of administrative action, loss of reputation, or legal liability.
Because HIPPA has no teeth, insurance brokerages are a flotilla of data Valdezes just waiting to happen.
Interesting related story unfolding in South Africa. A newspaper reported that the country’s Health Minister was abusive to staff and abused alcohol during a stint in hospital. That she was an alcoholic and this contributed to her outrageously poor performance as health minister. She has subsequently had a liver transplant.
The story was sourced partly from her health record that appears to have been stolen.
The newspaper’s editor is now facing arrest for stealing the health records or being in possession of stolen property.
A previous court judgment ruled that the records be returned - but that the story was in the public interest.
Here's a wild idea, which probably wouldn't work (like most ideas relying on spiffy cryptomath). My doctor and I create a key pair. Any time I want I can identify myself (by name, NOT using my key), and ask him to prove he has his half by, say, decrypting something. And we have some kind of contract that states that he will pay me $buckets if a) he no longer has his key, or b) I come into possession of his key.
He has to keep a secure and handy record of my key (filed under my name). He has to keep my medical records. So now the easiest thing might be to keep them together, securely.
Or he can stick it all on a giant post-it and attach it to his screen :). Passwords we don't need no stinking passwords ...
It is also worth noting that far more secure medical records systems that can prevent at least unauthorized access to the data (still not stopping authorized people from talking) do exist - in fact one of the best is in the VA medical system
The primary problem in most cases is with people that have legitimate access to PHI. Technical means of prevention are not useful there. And even logging only goes so far, since most accesses won't look suspicious since access to medical PHI data is common activity for most people working in healthcare.
The real problem is when someone with legitimate access decides to disclose this info for non-legitimate uses. And short of the publicity of the Clooney case, it is very hard to know what is done with the data after it is accessed.
Also realize that healthcare is already very expensive and many kinds of technical measures are pricey - and still ineffective.
...this is news because it's so unusual for any real punishment (..a month's pay) to be levied against violators.
How many thousands of illicit accesses per day are experienced within the vast government databases controlled by law-enforcement, courts, tax bureaucracies, etc. ??
Note that Clooney himself expressed a wish that the concerned people not be suspended for this infraction. Of course his wishes here aren't really relevant, since the infraction was against the system as much as him personally. (Also, the next person may well not be as forgiving.)
I'm curious about what titles the workers had. Supposedly, the harder somebody has to work to obtain their license, the more they'll protect it. But that's "supposedly".
Also, I wonder if any of the people fired did not actually access Clooney and friend's digital files, but instead just forgot to log out of their terminal? It's been a few years since I've worked at a hospital (quit before HIPPA), but when I did, there were plenty of unlogged terminals with working screens still opened. Maybe that's not happening as much since HIPPA.
A Nonny Mouse:
1. Huh? and 2. do I want to know what this means?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.