Blame Privacy Breach on Processes Not People
March 24th marked the day of one more privacy breach of someone’s healthcare records. Nothing unusual there except one of the 3,000 electronic patient records on the laptop stolen from the trunk of a car belonged to Congressman Joe Barton (TX), ranking Republican on the Energy and Commerce committee. Barton learned of the breach through press reports. Interestingly, Barton is one of the founders of the Congressional Privacy Caucus, which has as its mission the education of members of Congress on matters of individual privacy. Barton was enrolled in a cardiac study at NIH. (See AP article on event.)
So, one more day and one more privacy breach due to a stolen laptop. The NIH said that to prevent a similar event in the future, it would instruct staff on policies concerning data security and the importance of adhering to those policies.
What I am compelled to ask, does anyone think that they can prevent further privacy breaches through education and training? Have we not had enough of these violations to realize that this is a process problem rather than a people problem?
The response to these breaches reminds me of the how the automobile industry responded to complaints about the poor quality of its cars. Rather than revamp their car manufacturing processes, like the Japanese did, they blamed the automobile worker for the defects. Perhaps this “head in the sand” approach opened the doors for the Japanese to dominate the domestic automobile market.
My suggestion to all these organizations that are worried about privacy breaches is to spend some time studying the work of Deming and Juran. I would also pay attention to Don Berwick, MD, founder of theInstitute for Healthcare Improvement, who authored the groundbreaking book Curing Healthcare, which explained how to apply the principles of continuous quality improvement to healthcare.
These breaches are due to poor processes that do not remove the human element from the security equation. For example, it is perfectly reasonable to think that at least one of the thousands of hard working researchers at the NIH would want to take their laptop home to do research over the weekend. It is perfectly reasonable that the researcher would leave the laptop in the trunk of a car while stopping somewhere to run an errand. And, it is perfectly reasonable that a thief would break into the car and steal the laptop. It has happened before and it will happen again.
If we really want to stop these breaches from occurring we need to focus on technology that removes the human element, and therefore risk, associated with handling sensitive data. For example, all data collection software can be configured from the start with encryption. In addition, the database can only be opened by some biometric-based key (e.g., fingerprint) rather than a hard to remember but easy to guess password. Surely, there are other technologies and processes that experts can devise to greatly improve on what was just suggested.
If we really want to improve the security of our electronic records it can best be done through smartly designed processes rather than new regulations or legislation.
Barry P. Chaiken, MD, MPH, has over 18 years experience in medical research, epidemiology, continuous quality improvement, utilization management, risk management, health care consulting, and public health. He is a member of the board of directors of HIMSS and a former associate chief medical officer of BearingPoint.
Comments
Incredulous responded April 4, 2008: #1
Darrell Pruitt responded April 4, 2008: #2
Encryption is not the answer. If the personal information of me or my family is fumnbled by my doctor, I demand to be notified - especially if it is encrypted.
Anyone knows that if a thief steals a jewelry box, the lock is a minor problem. As long as there are keys, there are humans who will provide them either by accident or for a price.
Encryption is false security. We don't need that. No use in going there. Simply remove the identifiers. Darrell Pruitt
John Daniels responded April 6, 2008: #3
As evidenced in many of the 2008 ACHE Congress on Healthcare Leadership educational sessions, it was obvious to me that healthcare organizations are rapidly becoming dependent on information technology. Likewise, it makes sense to depend on information technology to strengthen our information assurance programs, even with encryption. The most successful organizations will be those who hire the smart people who will find and effectively implement the best security technology -- they both do exist.
anonymous lurker responded April 7, 2008: #4
automobile market.
we didnt open the door, we put down a red carpet, engraved invitations and served a 10 course meal. We are STILL too stupid to compete by addressing process problems. While encryption is not entirely the solution its a deterent. There is no such thing as secure, there is just different degrees of cost/benefit. make the cost for breaking in more than the value of the information.
Add Your Comment
Comment policy: WTN Media Blogs accept comments that are on-topic and do not contain advertisements, profanity or personal attacks. Comments represent the views of the individuals who post them and do not necessarily represent the views of WTN Media or our partners, advertisers, or sources.
WTN Media cannot accept liability for the content of comments posted here or verify their accuracy. If you belive this comment section is being abused, contact edit@wistechnology.com.
