I fear that shallow stories like the one here just conceal the real problems and stir up FUD.
What does it mean that "an employee" of a nursing home / rehab facility accessed the records of almost five thousand patients? Some employees of such institutions have the duty to look at patient records to, for example, decide whether to offer these patients beds in their facilities. That can't be done properly without looking at the actual medical records: can the facility provide the prescribed physical therapy? occupational therapy? medications? wound care? If not, it's bad for the patient and the institution to accept the patient. That's the entire point of a medical record.
What was this employee doing with the records? Running betting pools on whether his favorite professional ball player would show up (no good). Trying to find his ex-wife's records? (no good). Trying to make sure his facility could care for them properly? (good). Sellling their home addresses and the dates of their transfers out of the hospital to thieves with moving vans? (no good, and a genuine problem.)
By the way, competent police read published obituaries and patrol the homes of families of deceased people during wakes and funerals because they know thieves do the same.
What the heck good does credit monitoring do? Most of these patients need the help of a family member to actually make sense of credit monitoring.
Oh, and it's unlikely any employee of a HIPAA-covered facility didn't get at least some confidentiality training. HIPAA and HITECH (ARRA 2009) patient privacy laws "pierce the corporate veil" and make officers and supervisors personally liable for intentional breaches.
The popular press needs to get better at this cybersecurity beat.
"unauthorized access to patient medical records for the past two years by an employee" probably means, that someone two years ago had downloaded some patient data to a laptop, or maybe a thumb drive, probably for some legitimate work task that couldn't be accomplished on the authorized systems. Then the device was possibly lost or stolen.
The only solution for Healthcare is complete cloud based everything with the exception of pacs systems. Healthcare providers, in general, lack the leadership, will, resources and talent to do security in any fashion resembling correctly.
The only onsite equipment should be networking gear with redundant uplinks. All inpatient data generating equipment should route directly to the cloud for storage and processing. pacs excluded.
> The only onsite equipment should be networking gear with redundant uplinks.
Good luck if the "redundant uplinks" fail, e.g. due to a large-scale terroristic attack (no matter if physical or electronical), or if the cloud breaks down - even Amazon can have multi-hour outages - or if there's a virus propagating through the cloud system. For what it's worth, the NHS got hit by both a virus (Wannacry, 2017 http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-...) and an email-bomb DoS (2016 http://www.bbc.co.uk/news/technology-37979456).
With on-site IT you can at least make daily (or hourly) tape backups of everything and can properly store and retrieve them, good luck doing so with Amazon Glacier.
Just imagine an entire country unable to provide qualified medical assistance because a cloud provider goes down. And yes you do ALWAYS need access to a patient's background info, for example to look up if the patient is allergic to some medicine.
I agree with both of you. The state of software and systems in IT is untenable, and it will be huge anchor on productivity. Absolutely no mid-sized medical practice is capable of maintaining these systems to any level of standard, and I do believe this is one of those areas that is far better served as a centralized SaaS model. As you mention, this opens up a new set of systemic vulnerabilities that should not be ignored.
I see this becoming more like a large app that lives in the cloud, with a "black box" that acts as a local cache for any medical records assigned to the practice in question. Basically you get access to the "global interchange" of medical records/billing/whatever - and you still have the digital equivalent to a basement full of filing cabinets for the records you need on-site. Yes, if the "uplinks" go down you will lose access to the wider network - but at least the problem of accessing things you need during emergencies and outages is very solvable.
Nothing I've seen related to healthcare IT has be very optimistic of something like that being implemented in a competent manner however.
> In Cincinnati, Ohio (USA), the Daniel Drake Center for Post-Acute Care of the UC Health system has reported unauthorized access to patient medical records for the past two years by an employee
Oh, so UC ~ University of Cincinatti or such? I'm used to it referring to the University of California and thought their med schools were the ones being referred to.
If case you're curious - uc.edu is the site for Univ. of Cincinnati, so it has a pretty good claim on that abbreviation.
It's funny though - I recently moved to Cincinnati from the Bay Area - if I'm in Cincinnati and refer to UCSF, most people assume it's some division of Univ. of Cincinnati. So, I guess the ambiguity goes both ways.
Yep, UC Health as in the medical care provider associated with the University of Cincinnati College of Medicine. Press release regarding the breach here:
Side note - I'm a patient of UC Health and hadn't seen this news until now, but I'm also not within the scope of this breach. They've been great medically, but I agree with the post that some follow-up information would be much better.
The single biggest issue in healthcare IT is that biologists want less than nothing to do with IT. They actively run from it, despise it, ridicule it, anything to avoid dealing with it.
Source: I'm seeing the effects right now in a major EMR rollout. The entire beauracracy is avoidant.
Politically, healthcare IT is underfunded and radioactive.
IT in healthcare can only cost money and cause problems. The only question is whether it costs a little (everything is running, sort of) or a lot (FDA shutting you down with criminal charges).
Until a few more situations like St Jude pop up and punish the stock price and CEO's bonus, healthcare IT will continue to suck.
Biologists don't deal with EMRs, healthcare professionals do.
And have you seen the typical EMR? Is there any wonder? These are worse than the typical in-house "enterprise" "webapp" and have made data entry an absolute hassle, a complex nightmare, worse than the days of green-screen vt100. The engineers/managers that produce these beasts are some of the worst villains in healthcare, IMHO. Absolute scammers that take ridiculous amounts of cash to deliver substandard products that make the lives of everyone worse.
Just look at the rates of data export for patients to see how terrible EMR providers are. It's an offense to software engineering.
And then you have the software people blaming the users. Yes, the users. Clearly they're the ones who are at fault for not enjoying their dogfood.
> Biologists don't deal with EMRs, healthcare professionals do.
Healthcare professionals are a subset of biologists. But outside of computational biology and a few odds and ends (electrophysiology comes to mind), I have seen precious little evidence throughout the range of biologists of anyone having any interest in math. And I am about as close to basic science as any physician can get.
Healthcare professionals are a subset of biologists.
The ones who keep the records aren't. The people who actually record everything in a form for submission are, in my experience, rarely any form of licensed clinical practitioner. And "interest in math" seems orthogonal to your original concern.
So what? Are you sitting and reading Anatomy textbooks in your free time? Who cares if they are interested in math or not. This is a highly obnoxious viewpoint and its no wonder to me they aren't interested in dealing with you.
These massive breaches sort of scare but at the same time sort of relieve me. If everyone has their information leaked, there is a low chance that any one person will be an identity theft victim.
What does it mean that "an employee" of a nursing home / rehab facility accessed the records of almost five thousand patients? Some employees of such institutions have the duty to look at patient records to, for example, decide whether to offer these patients beds in their facilities. That can't be done properly without looking at the actual medical records: can the facility provide the prescribed physical therapy? occupational therapy? medications? wound care? If not, it's bad for the patient and the institution to accept the patient. That's the entire point of a medical record.
What was this employee doing with the records? Running betting pools on whether his favorite professional ball player would show up (no good). Trying to find his ex-wife's records? (no good). Trying to make sure his facility could care for them properly? (good). Sellling their home addresses and the dates of their transfers out of the hospital to thieves with moving vans? (no good, and a genuine problem.)
By the way, competent police read published obituaries and patrol the homes of families of deceased people during wakes and funerals because they know thieves do the same.
What the heck good does credit monitoring do? Most of these patients need the help of a family member to actually make sense of credit monitoring.
Oh, and it's unlikely any employee of a HIPAA-covered facility didn't get at least some confidentiality training. HIPAA and HITECH (ARRA 2009) patient privacy laws "pierce the corporate veil" and make officers and supervisors personally liable for intentional breaches.
The popular press needs to get better at this cybersecurity beat.