Morphine hit please
by Jeff Bardin, The Brave New World of InfoSec
Fri, 2008-07-04 12:38
Topic(s): | |

I recently spent a few days in the hospital and had a couple of epiphanies outside the narcotics I ingested. My information in multiple physical and electronic shapes and forms now lines the virtual airwaves and filing cabinets of several healthcare providers within the medical community associated with the last several days.

A major concern I have is the adequate confidentiality of the individual records being managed electronically. According to the LA Times, roughly 150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient's records during a hospitalization, and 600,000 payers, providers and other entities that handle providers' billing data have some access. Based upon the number of different ‘regular’ nurses per day (3), number of different personal care assistants per day (3), IV Therapy nurses (2), surgeons (3), doctors form my local clinic (4), nutritionist (1), etc., and you get the idea. Of course there was no personal confidentiality as a lie there in my johnny exposed as required with twin IVs running out of my arms. The six minute hit between morphine drips of one gram a pop was a hoot as I was able to legally hallucinate about weird things like identity and access governance in the form of a Blue Meanie. This just gave the staff more time to violate any shred of modesty I had left. Was the morphine for me or for them?

Multiple access points over an open network like the Internet increases possible patient data interception. This hospital had 4 wireless access points (all secure or at least appearing secure – of course I didn’t go into the hospital to hack but to be hacked). The question begs, ‘Why do you need 4 different WAPs?’ Was one for the consistent and rhythmic beat of the hearts of those being monitored? Was another for nurses and surgeons to communicate? Was yet another used for IT staff backend support? Was the last used by bored nighttime staff playing a medical version of Doom whereby they hunt down hideous infections running rampant in an endocrine system? <Morphine hit please> Why four? (And how did they get the funding for four freakin’ WAPs?)

The organizations and individuals charged with the management of this information are required to ensure adequate protection is provided and that access to the information is only by authorized parties. Yeah, and I didn’t traverse the hallways one day with my derriere promptly presented to those I schlepped by. Somehow I don’t believe access is primary on their minds. Heck, the nurses were just issued cell phones recently, why would I presume to think access and identity management issues would run as smoothly as a new scalpel across virgin skin? <Morphine hit please> I know the surgeons and nurses knew their stuff and ran a very professional operation, I wonder what type of salary is paid to security types in hospitals? I know they are considered overhead only there due to HIPAA and maybe some JCAHO requirements but I would imagine this is not their first priority.

The growth of electronic healthcare records creates new issues, since electronic data may be physically much more difficult to secure, as lapses in data security are increasingly being reported. Information security practices have been established for computer networks, but technologies like wireless computer networks offer new challenges as well. Regardless, my data is flowing around this hospital in reams of records as the amount of data they had on hand during initial consultations reminded me of FOIA (Freedom of Information Act) requests and the stack of info you get back on the clearances you have had. They entered the room with a large folder with my name on it; surrounded me on three sides, and began peppering me with questions in a staccato sequence meant to work the muscles in my neck (without the aerobics music) <Morphine hit please>.

Anyway, there isn’t a whole lot I can do about it but I can revel in the fact that I am not there anymore; that I lost 18 pounds without binging and purging; that modesty is only a push button away from false; and that I did my part to contribute to the glut of information being stored (EMC should thank me!) <Morphine hit please> 
 

» read more from Jeff Bardin | post a comment
Ads by TechWords
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Sponsored Links

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Configuration Audit and Control for Virtualized Environments

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

IT Service Management: Metrics That Matter

ITCi White Paper: Challenges and Opportunities of PCI

Effective Security with a Continuous Approach to ISO 27001 Compliance

Rolling the dice with your security? Take the Self-Assessment Test now

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Solving Online Credit Fraud Using Device Reputation

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Prepare for (ISC)2® Certification With Villanova - Online

Ponemon Study: How Much Does a Data Breach "Cost"?

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

Configuration Assessment: Choosing the Right Solution

The PCI Data Security Standard

Configuration Audit and Control for Virtualized Environments

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.