Health Care Data Security Gets Even More Serious

In November 2013, Kaiser Permanente reported a major data breach of the fall. The company had to alert about 49,000 patients of the Anaheim Medical Center that their personal health information had been compromised. What happened? An unencrypted USB thumb drive with a copy of the information had gone missing.

The first step is for health care IT professionals to take a personal inventory of knowledge.

Maybe it had literally been misplaced. Perhaps someone had found or stolen it. But that didn’t matter. Under the Health Insurance Portability and Accountability Act and California’s recent strong consumer data protection legislation, Kaiser had to assume that the information was possibly in the hands of someone unauthorized — someone who might attempt identity theft (health insurance identity theft is a prevalent but under-recognized problem), extortion, or otherwise misuse the data.

Although Kaiser notified patients in late November, it had discovered that the thumb drive was missing on September 25, more than two months before the notification. The truly remarkable thing, one that should make everyone with a master’s of information systems management (MSISM) degree take note, is that this was Kaiser’s second serious data breach in a few months.

With the Affordable Care Act actively promoting a more rapid adoption of electronic medical records to make care more efficient, the reliance on electronic data will only become more pervasive. Another way of saying that is health care providers will face more potential breaches that can create unavoidable negative publicity and the potential for significant regulatory fines.

Relying on specialty software or even hardware is not enough. Organizations, and the people who lead the IT departments in them, must create a sensitivity and awareness among personnel that will encourage proper practices and avoid end runs around security provisions.

The first step is for health care IT professionals to take a personal inventory of knowledge. Such an examination should include reviewing the regulations themselves, their requirements, and the necessary actions and possible penalties in case of a breach. But professionals should also candidly look at their attitudes and consider how they would react to the daily subtle challenges that can arise.

The government site has training games, one set for contingency practices and one for privacy and security. Although not “exhaustive,” the Web-based systems provide scenarios and questions that test some practical knowledge of regulations and common sense attitudes and inclinations. (Given that contingency planning can be crucial to information availability and security under unusual circumstances, playing both is wise.)

The humor is corny and some of the scenarios might seem obvious, but thinking through common situations is a first step to maintaining a robust approach to security — and avoiding the type of bad press that Kaiser received.