Healthcare Provider Loses Mobile Data Device, Issues Letter and Credit Monitoring. I Presume The Device Was Not Encrypted (Not that I Blame Them In This Case).
Clarian Health has notified over 1200 patients that their information might have been compromised. These patients were in the Clarian transplant program, and one of the transplant coordinators misplaced “a device similar to a Palm Pilot.”
Before anyone goes around saying that such information should not be on such a small device to begin with, since it can be easily lost or stolen, one should realize that such devices let the transplant teams notify patients within seconds that an organ is available. When you need a new liver, or a heart, or a lung, every second does count.
As for whether patient information, such as Social Security numbers, is necessary, my guess is that it must be so. Perhaps the paperwork is being filled as the surgeon is being paged and the patient is being wheeled into the operating room. Unfortunately, even in such emergencies there is paperwork to be filled. If a coordinator always has the information, it must be a faster process (since I don’t work in a hospital, nor do I work as an administrator in a medical facility, I don’t know; I can only speculate). I would assume that this is truly a lifesaver if the organs become available in the dead of the night (Organs don’t become available on a fixed schedule, right?) Or perhaps the next of kin cannot be reached during that crucial minute?
So, chances are it was valid for the coordinator to have all this information within the mobile device; this is no willy-nilly, “let’s get as much data possible…just in case” situation. One would assume that they would never misplace such a device, just like I’ve never seen a construction foreman without a two-way radio. However, accidents do happen and muggers do appear out of the shadows…so one hopes that the appropriate security considerations were given in such a device was handed out.
Based on the article, it doesn’t sound like it. Clarian is offering 12 months of free credit monitoring services to the affected, including 20 physicians and the families of approximately 200 deceased patients. Could the healthcare organization have done more in order to ensure the safety of their patients’ and data?
Perhaps. There are services out there, such as AlertBoot, that will encrypt the data on PDAs and Smart Phones. Just like you can encrypt a hard drive on a laptop, you can secure your mobile tools via device encryption. This way, the device and its contents are protected if the PDA is lost or misplaced (or stolen). At the same time, the impact on the workflow would be minimal, which is what you want when every second counts. Plus, any external or removable media cars would be encrypted as well. This would be an ideal solution for ordinary businesses that rely on highly portable devices.
For medical situations, who knows? Perhaps the administration decided that even the smallest amount of impact on the workflow was too much. And despite being in the security industry, I can understand that. After all, the doors to the emergency wing of a hospital don’t carry locks. At least, I’ve never seen one. When your physical world is structured for rapid flow because of emergencies, it only makes sense that security practies follow the same pattern of “openness.”
On the other hand, knowing all the different types of fraud that could be carried out (Medicaid and insurance, among others) if patient information got into the wrong hands….And, there’s the HIPAA regulations that were (probably) broken. I can only say I’m happy not to be the decision-maker on such instances.