Human Error to Blame for Grady Data Breach
October 1, 2008
Simple human error made the private medical records of 45 patients at Grady Hospital in Atlanta, Georgia available on the internet. The hospital outsourced note transcription to a firm in Marietta, Georgia, who then outsourced it to a contractor in Nevada, who in turn outsourced it to a firm in India. Workers at the Indian firm allegedly caused the breach. Luckily, the exposed information did not include social security or credit card numbers. There was no evidence of theft, and it does not appear that the patients were harmed.
It is unlikely that smaller practices would be vulnerable to this kind of incident. Most practices probably do not have their own intranets, so it would be difficult for their patient records to be made available on the internet. However, some electronic medical records that use the Active Server Pages (ASP) model utilize a web-based interface. There is a risk that these EMR systems could be compromised. The vendors usually take every precaution to lock down their systems; so the risk is small.
The real lesson is to be wary of outsourcing work. While it is not always efficient to do everything in-house, practices should exercise caution when working with third parties. Make sure the contract stipulates that whomever you’re contracting with will perform the work themselves, and not outsource it to someone else. Not only is the recursive outsourcing seen in the Grady incident somewhat absurd, it’s also a huge security risk. Instead of one firm having access to protected health information, three firms and an unknown number of employees now have access.
Ryan Ricks
Security Officer
www.xlemr.com
Save to Browser Favorites
Ask
backflip
blinklist
Bloglines
BlogMarks
Blogsvine
BUMPzee!
CiteULike
co.mments
Connotea
del.icio.us
DotNetKicks
Digg
diigo
dropjack.com
dzone
Facebook
Fark
Faves
Feed Me Links
Friendsite
folkd.com
Furl
Google
Hugg
Jeqq
Kaboodle
linkaGoGo
LinksMarker
Ma.gnolia
Mister Wong
Mixx
MySpace
MyWeb
Netvouz
Newsvine
PlugIM
popcurrent
Propeller
Reddit
Rojo
Segnalo
Shoutwire
Simpy
sk*rt
Slashdot
Sphere
Sphinn
Spurl.net
Squidoo
StumbleUpon
Technorati
ThisNext
Webride
Windows Live
Yahoo!
Email This to a Friend
If you like this then please subscribe to the The Importance of Offsite Backups
September 23, 2008
Have you ever thought about how your practice would survive after a disaster? What would happen if your office burned down, or burglars broke in and stole all your computers? Natural disasters, such as floods, hurricanes, and tornados also pose a threat.
Many businesses fail after disasters because they do not plan ahead. Offsite backups are one of the easiest and best ways to protect your practice. If you still use paper charts, you face an even greater risk. Keeping an updated offsite copy of all your paper charts would be prohibitively expensive.
If you use an EMR, be sure to ask your vendor how they handle offsite backups. If you have a web-based EMR, it’s possible that your data is already stored offsite. In that case, be sure to verify they back up your data. If you have a client/server model or a custom system, you may be responsible for your own backups.
There are many companies that offer hosted offsite backup solutions. Their software runs in the background on your computer and uploads files to a remote server, usually in real time. This kind of service is generally easy to use, and great for when you only need to recover a few files at a time.
There are two main drawbacks to this architecture, however. It is usually subscription based, meaning you pay a monthly fee for the service. The other problem is recovery time. If you lose everything, it can take forever to download all of your data.
Hosted backup solutions can be expensive. They usually charge you by the gigabyte (GB). Our average customer has about 130GB of data, which could cost you as much as $345 per month. That equals $4140 per year, and about $20,700.00 over five years - about the cost of some EMR systems.
The second problem with hosted backups is download time. If you’ve ever downloaded large files from the internet, you know it can be time-consuming. Let’s imagine your practice has about 130 GB of data, which comes out to 133200 megabytes (MB). If you lose everything, and have to download all of your data, you could be out of business for a long time. If you have a fast internet connection, such as Comcast, your download speed could be about 4.82 MB/s. With this speed it could take you about 19 days to download 130 GB of data.
Sadly, there aren’t many alternative solutions, aside from using backup tapes, or external hard drives and taking them home with you every night. The best bet would be to use a custom solution that would allow you to backup offsite to your home, or another office. That way your recovery time would be limited by how long it takes you to drive home and retrieve your storage device.
Regardless of what system you go with, offsite backups are a vital part of your business continuity plan. The survival of your practice could depend on it.
Ryan Ricks
Security Officer
www.xlemr.com
Representative Stark Introduces Health-e Information Technology Act of 2008
September 18, 2008
Representative Pete Stark, Chairman of the House Ways and Means Subcommittee on Health, introduced the Health-e Information Technology Act of 2008 (H.R.6898) on September 15th. If passed, the act would codify certain offices and committees which would make recommendations on standards for interoperability, privacy and security, as well as maximizing the utility for health-related information technology. In addition to recommending standards, the group would also develop an EMR system based on open source technology. Finally, the bill would provide financial incentives to practices that adopt approved EMR systems and reduce Medicare payments for those without a system, or those using an un-approved EMR.
Whether or not this bill becomes law, it shows that Congress has an interest in EMRs and healthcare technology. We can expect more legislation along these lines, and it is very likely that Congress will pass a law requiring every practice to adopt an EMR. This is yet another reason to adopt an EMR. However, don’t just rush out and buy the first EMR you like. Although we don’t know what features will constitute an “approved” system under this or any future legislation, physicians should pick an EMR that can exchange data using the XML and HL7 formats. Physicians should also pick an EMR that has a history of working with the federal government. No one wants to invest thousands in an EMR that doesn’t meet government standards.
Ryan Ricks
Security Officer
www.xlemr.com