paulmudgett.com

Governor Sandoval signed Senate Bill 43 to move forward with the State Health Information Technology Strategic and Operational Plan using federal stimulus funds.  This essentially gets the ball rolling for the development of a statewide system for the electronic exchange of health information.  The intent is to improve health care quality, prevent medical errors and reduce medical costs.

The new law appears to pull from HIPAA and HITECH in regards to data security and privacy.  Interesting that Texas, also driving forward on stimulus funding for electronic health records,  just enacted tougher protections because of the perceived weakness and lack of enforcement in the federal laws.   From the June 28, 2011 article “Texas Enacts Health Privacy Law” at govinfosecurity.com:

“…she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level.”  – Sponsor of the Texas law Lois Kolkhorst.

” The federal attempt to stop the sale of protected health information without consent in the HITECH Act appears to have been weakened so much that it’s not going to have any noticeable effect.”   – Privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights.

While Texas has defined broader protections, Nevada seems much more in line with HIPAA and places the design of standards in the hands of the Director of Health and Human Services.   Two different approaches with hopefully good results in relation to protected health information.  Time will tell if the expected outcome of of privacy and security required in this new electronic health information exchange will match the desired benefits to quality of care and reduced costs.

Photo credit: Tabitha Kaylee Hawk

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

A 38-year-old Avon Lake, Ohio man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he’d had a relationship with ended up infecting computers at Akron Children’s Hospital.   (Misdirected spyware infects Ohio hospital.  McMillan, Robert. 17 September 2009. ComputerWorld.)

Graham certainly gets what is coming to him.  Sending spyware to your ex is more than a little creepy.  However, it seems to me the hospital is culpable in the release of protected health information (PHI) due to poor security practices.   The hospital has an obligation to protect this information yet they allow an employee to not only access personal e-mail but also download and install an application.  In this case it turns out to be spyware.

Unfortunately, this is a common occurance.  Employees use business assets as their personal playground, downloading and installing all types of applications that have no business being on the PC.  I’m not talking about pictures of Grandma Edith and the new puppy, rather peer-to-peer file sharing and communication applications, games, and other programs of amusement.  This places companies at risk for the accidental release of personal information or compromise of systems.

With more regulatory pressure being placed on organizations to protect personally identifiable information, companies are going to need to make a decision if they are running a business or a playpen.  It may be safer (and less expensive) to put in a foosball table and pinball machine than suffer the consequences of a breach.