The National Institutes of Health. The Gap. Pennsylvania Department of State. Blue Cross/Blue Shield. Harvard University. Kraft Foods. Tenet Healthcare Corporation. What do these seemingly disparate organizations have in common? They’ve all experienced either outright theft or inadvertent loss of sensitive consumer or patient data — just between February and March of this year.
The missing data ranged from dates of birth, Social Security numbers, credit card numbers, medical conditions, to even political affiliations. How did this happen? Stolen laptops, hard drives, and flash memory sticks top the list. Other organizations mistakenly sent e-mails containing private information to unintended recipients, had consumer data retrieved from discarded PCs, or experienced Web programming errors.
According to the U.S. Department of Justice statistics, identity theft is currently surpassing drug trafficking as America’s No. 1 crime.
And while the sheer size of these organizations might make them tempting targets for crooks, don’t assume that your practice is safe just because it’s smaller than the NIH. Anyone can be a victim. But there are ways to protect yourself — and your patients.
In 2006, the nonprofit Privacy Rights Clearinghouse’s analysis of data breaches found that of those reported by medical organizations, 40 percent were attributable to laptop thefts, 20 percent to “insider malfeasance,” 20 percent to “human/software incompetence,” 17 percent to non-laptop computer theft, and 3 percent to outside hackers. A study by the University of Massachusetts Dartmouth conducted in 2004 estimated that in the U.S. alone, a laptop is stolen every 53 seconds. Gartner, Inc., a worldwide IT research and advisory company, says its research reveals that 80 percent of computer crime consists of “inside jobs” by “disgruntled employees.”
In February, a laptop containing the names, Social Security numbers, and personal health information of 4,800 patients was stolen from the relatively small University Health Care in Salt Lake City. Reports of stolen or lost patient data abound among practices large and small.
Do you or your staff take home laptops to catch up on patient paperwork outside of clinic hours? Do you ensure that your staff members are able to gain access only to the patient information they need to do their jobs? Do you know where your patient information resides within your network, PCs, portable devices, and backup storage? And how secure is your practice’s office building when you’re not in it?
Very few practices can confidently answer all of these questions. And the consequences of such ignorance can be devastating.
Take the case of Compass Health, a small mental-healthcare provider in Washington, which in June 2006 reported a laptop theft to authorities. The computer contained patients’ Social Security numbers and clinical and demographic data. The practice sent letters to all potentially affected patients with information about the steps they should take as a result of the theft. And it distributed a state wide media advisory in an effort to notify other individuals for whom it did not have current contact information. And then, of course, came the calls from local and national media outlets.
All this over a single stolen laptop.
“The nature of the beast here is that the devices go missing,” says Stephen Sprague, CEO of Wave Systems, a provider of client and server software for hardware-based digital security. “So assume all your patients’ records are on that device. Do you really want to have a press conference?”
Even if, like Compass Health, you take all appropriate steps to protect your patients in the wake of a computer theft, bad press can severely damage your credibility with current and future patients.
Is paperless dangerous?
So should you just toss out your electronic equipment and go back to paper files?
You probably know the answer to that. Whether you own an EMR or not, your practice cannot operate without computers running the software that is vital to its everyday operations. So tossing your PCs out the window isn’t an option. Besides, paper is just as, or more, vulnerable to theft as is electronic equipment.
