Blogger: Kevin Kampman
Over the Easter weekend, I had an inspiration for an Easter funny: I cut an egg carton down into an eight egg container, leaving the eight raw eggs in place. I gave it to my wife as an Octo Mom surprise. As a mother of multiples, she was amused, if only slightly. So it goes…
On a more serious note, Kaiser Permanente fired 15 employees for snooping into the Nadia Sulyman’s hospital records. Even if the logical access controls over this information weren’t sufficient to prevent inappropriate access, current policy and training were in place to identify that employees had no business accessing her records. At the end of the day it’s a business problem, and it is appropriate that Kaiser took a business action to remediate the problem. As we move down the experimental path of electronic medical records, enforcing policy and controls become more and more important.
If what happened to the Octo Mom is a harbinger of what can happen to conveniently accessible electronic medical records, then we have one one more reason to delay or to scuttle that initiative. Efficiency and convenience shouldn’t facilitate the compromise of an individual’s records under any circumstances. Until the policies and controls are well articulated, understood, and enforced, there’s no reason to fertilize those eggs.
While I too worry about confidentiality of medical records (here in The Netherlands the roll out is continually in the news) I also worry about the availbility of the same information - especially in an emergency.
Many years ago I was working in a university environment and deploying security measures in the basis that more or less anything was allowed, but we did a lot of logging. A colleague who had a military background thought I was mad.
I still think this is a reasonable approach. We don't limit cars to driving no faster than 70 mph - but we have men in blue uniforms who will occasionall pull us over.
The staff at Kaiser broke the rules. The good news is they got caught - and there were sanctions. That is the news, not the fact that security measures failed.
We need to publicise the sanctions at least as much as the original exposure if we want to reduce the risk of this happening again.
Posted by: KeithD | April 16, 2009 at 03:33 AM