News

Should patients be told about security breaches?

One of the debates in the USA about privacy and the use of electronic healthcare records revolves around the practice of organisations informing affected individuals about a security breach. Many organisations don’t like the practice, but as far as raising security awareness, it can be very effective.

Last year, an employee from the USA’s Department of Veterans Affairs (VA) decided to do some work at home. Unfortunately, his house was burgled and the laptop on which he was working was stolen. The disk on the laptop contained identifying information including names, the social security numbers, medical diagnostic codes, disability ratings and dates of birth of up to 26.5m veterans and some spouses.

Contacting millions of people to tell them of a security breach tends to be noticed, especially as the individuals concerned were soldiers who had served their country in places such as Iraq. The fallout from this security breach has thus been spectacular.

A month after the incident became public, the VA announced the appointment of a special adviser for information security; members of the senior management team were forced to retire or resign; and the hapless employee and his line managers were all sacked.

This was followed by a demand from 30 organisations participating in the Consumer Coalition for Health Privacy for a statutory compliance review under the Health Insurance Portability and Accountability Act of 1996; and politicians from the House of Representatives publicly harangued the Bush-nominated Secretary of State, R James Nicholson.

This led to Nicholson ordering all VA employees to complete an annual data privacy and cyber-security awareness training course immediately, and he directed senior officials at the VA to compile an inventory of all workers and contractors who need access to sensitive data. Nicholson also told senior department managers to remind staff to protect sensitive information and ordered a security review of all laptops.

bjhc&im February 2007

Your browser does not support inline frames or is currently configured not to display inline frames.

Please allow scripts in your browser so that Google ads will show — the ads are safe and give information on useful IT products.

Your browser does not support inline frames or is currently configured not to display inline frames.

To top^