Human Error to Blame for Grady Data Breach
October 1, 2008
Simple human error made the private medical records of 45 patients at Grady Hospital in Atlanta, Georgia available on the internet. The hospital outsourced note transcription to a firm in Marietta, Georgia, who then outsourced it to a contractor in Nevada, who in turn outsourced it to a firm in India. Workers at the Indian firm allegedly caused the breach. Luckily, the exposed information did not include social security or credit card numbers. There was no evidence of theft, and it does not appear that the patients were harmed.
It is unlikely that smaller practices would be vulnerable to this kind of incident. Most practices probably do not have their own intranets, so it would be difficult for their patient records to be made available on the internet. However, some electronic medical records that use the Active Server Pages (ASP) model utilize a web-based interface. There is a risk that these EMR systems could be compromised. The vendors usually take every precaution to lock down their systems; so the risk is small.
The real lesson is to be wary of outsourcing work. While it is not always efficient to do everything in-house, practices should exercise caution when working with third parties. Make sure the contract stipulates that whomever you’re contracting with will perform the work themselves, and not outsource it to someone else. Not only is the recursive outsourcing seen in the Grady incident somewhat absurd, it’s also a huge security risk. Instead of one firm having access to protected health information, three firms and an unknown number of employees now have access.
Ryan Ricks
Security Officer
www.xlemr.com
Save to Browser Favorites
Ask
backflip
blinklist
Bloglines
BlogMarks
Blogsvine
BUMPzee!
CiteULike
co.mments
Connotea
del.icio.us
DotNetKicks
Digg
diigo
dropjack.com
dzone
Facebook
Fark
Faves
Feed Me Links
Friendsite
folkd.com
Furl
Google
Hugg
Jeqq
Kaboodle
linkaGoGo
LinksMarker
Ma.gnolia
Mister Wong
Mixx
MySpace
MyWeb
Netvouz
Newsvine
PlugIM
popcurrent
Propeller
Reddit
Rojo
Segnalo
Shoutwire
Simpy
sk*rt
Slashdot
Sphere
Sphinn
Spurl.net
Squidoo
StumbleUpon
Technorati
ThisNext
Webride
Windows Live
Yahoo!
Email This to a Friend
If you like this then please subscribe to the Comments
One Response to “Human Error to Blame for Grady Data Breach”
Got something to say?
-
Recent Posts
- Does CCHIT Really Matter?
- Free EMR Software - Is it Right for your Practice?
- USB Drives Spreading Viruses
- EMRs may Reduce Malpractice Claims
- Personal Health Records could save US Billions
- Study says US Doctors overworked, plan to cut back
- Web-based Medical Records made Available to Public
- Indianapolis Citywide Health Information Exchange Improves Health Care
- Medical records sold as scrap paper to Utah teacher
- Culture, Costs, and Confusion barriers to EMR adoption
Advertisement
These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of “IT Wars” - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of “I.T. Wars: Managing the Business-Technology Weave in the New Millennium.” It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations. Our CEO has read this book. Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don’t want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book – BEFORE you suffer a breach.