Danny Lieberman, founder of Pathcare, the private social network for healthcare that enables  physicians to care for more patients with less stress in less time explains that patient privacy breaches are caused by people, not by hackers.

Dateline 2011 Canada –  a hospital imaging technician accesses the medical records of her ex-husband’s girlfriend.

Data leakage of patient data in hospitals is common because there is a lot of it floating around and because of human nature.

We are concerned when it comes to the health condition of friends and family and tend to worry when we don’t have all the information – a common situation when a friend, child or parent is hospitalized.

Being human, we may bend rules just a tad in order to get information about our loved ones’ condition.   Bending rules and getting patient files from a friendly nurse is a slippery slope to breaching patient privacy.

The right to patient privacy

The Health Insurance Portability and Accountability Act (HIPAA) in the US and the Data Protection Act (DPA) in the UK  set policy favoring patients’ right to confidentiality.

HIPAA and DPA regulations grant government protection for patients’ personal health information (PHI) held by hospitals and physicians and gives patients rights regarding that information – in other words it is the patient who must grant access.

What  exactly is PHI and when is it considered “private”?

Electronic Protected health information (ePHI) is any information in an electronic medical record (EMR) that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. This includes names, geographical locations, dates of birth etc, phone numbers, email, social security numbers, medical record numbers, license plate numbers, driver license number, biometrics.

Basically any combination of personal identifiers that can be used to steal a persons identity, when combined with EMR data becomes ePHI.

Why patient privacy is breached

The PC term is “unauthorized disclosure” but at the end of the day – patient privacy breaches involved theft of someone elses data.

The key attack vector for a patient data loss event is people – often vendors and business partners working with employees.

Social engineering works

People handle data and do not follow policies especially when they feel they must be compassionate to a person whose wife is hospitalized.    But – the story of the hospitalized wife may be fabricated, it can be a person pretexting to be the husband looking to obtain patient information in order to build a support case that the real husband was negligent in order to support a divorce case and claim for damages and support.

Bribes also work

Today – people are increasing conscious that information has value – that information has some value to someone and that someone may be willing to pay or return a favor.

How we can protect patient privacy : the 4 key dont’s

The first thing is to set an example for others.

Patient privacy is an ethical issue which is best addressed by hospital and clinic managers setting rules and abiding by the rules themselves – starting with setting down 4 don’ts

  1. Don’t provide patient files to non-staff
  2. Don’t use hospital devices and PCs for personal surfing
  3. Don’t give strangers medical information
  4. Don’t provide information over the phone to people you do not know personally
  

Danny

Danny Lieberman is the authority in applying threat analysis to Governance, Risk, and Compliance (GRC) in healthcare. He is a sought-after speaker, prolific blogger on healthcare technology, and advisor on software security and privacy compliance issues to healthcare and medical device vendors. He is passionate about Pathcare: the private social network for a doctor and her patients. Danny is a solid-state physicist by training, professional programmer by vocation and avid amateur saxophonist and biker.

One Response to It’s people, not hackers who threaten patient privacy

Add a comment

Your email address will not be published. Required fields are marked *