Ireland’s busiest hospital has gone into defensive mode after it was accused of having a data security breach. According to a statement, Tallaght Hospital has notified the Data Protection Commissioner’s office because of the allegations. I find this story very interesting. It shows that data security is not necessarily about the proper security tools you have in place, like drive encryption software from AlertBoot. Sometimes, you have allegations of a data breach because of politics.
The Breach? We’ve Decided to Hire…Filipinos?
As far as I can tell, the entire controversy lies upon the fact that medical transcription work was outsourced to a firm in the Philippines. It’s not that the proper data security wasn’t in place, or that no thought was given to data security. Here’s what the hospital has to say about the situation (from rte.ie):
In a recent letter to the TD, Tallaght Hospital said it had a limited number of medical typists and has outsourced some dictation since 2004.
The process involves a hospital clinician dialling [sic] codes on a phone and dictating.
An audio file is created on a server in the hospital.
This file is encrypted and sent to an outside firm, typed up and sent back to Tallaght the next day.
Other sources, such as the irishexaminer.com, note that (my emphases):
…such data was encrypted and the company concerned was bound by a confidentiality agreement…[it] encrypts the content of the correspondence and no patient identifiers were used.
And there is also this:
It is believed that some patients’ data was sent to the Philippines for medical reports on Irish patients to be typed up. The hospital said it had found it efficient and cost effective to outsource some transcription services. It said such data was encrypted and the company concerned was bound by a confidentiality agreement.
So, to sum up, all the files were protected with encryption software — the strong type, one assumes — with the personal details stripped out. These are sent to a company that listens to the audio, types up a transcription, and sends is back (also encrypted, I hope).
Uh…besides the fact that the work is taking place overseas, where is the data breach? I just don’t see it. Then there is this observation by a government official:
Labour TD Robert Dowds, who raised the issue in the Dáil last month, said he found it odd that the hospital found it necessary to out-source the work to the Far East. “You’d imagine important medical letters need to be typed up accurately and close to the source of the information.”
Other hospitals in Dublin recently stated that they were not engaged in a similar arrangement with foreign companies.
Where are the accusations that the work was not done right, or that quality suffered, or that information was leaked, or that the proper data security controls were not in place?
As far as I can see, such criticisms or observations are not covered anywhere; the implication being that there is not such criticism. If so, what does it matter whether the work is done in the Far East, South America, or Mars?
And, how are “letters being typed up accurately” tied to “being close to the source of the information”? (Which is what, exactly? The doctor, who’s speaking into a tape recorder, essentially? Under those circumstances, how would “being close” matter?)
The more I read about the situation, the more I get the feeling that this is not about data breaches at all. This is not the blog for it, but it seems that there is more afoot, possibly political in nature.
Now, this is not necessarily a bad thing. Perhaps it will bring more attention to data security issues, and will clarify what is and is not allowed under the law. However, from a technical standpoint, I don’t see a reason why this should be considered a data breach.