• United States



Morphine hit please

Jul 04, 20084 mins
Data and Information SecurityIdentity Management SolutionsPhysical Security

I recently spent a few days in the hospital and had a couple of epiphanies outside the narcotics I ingested. My information in multiple physical and electronic shapes and forms now lines the virtual airwaves and filing cabinets of several healthcare providers within the medical community associated with the last several days.

A major concern I have is the adequate confidentiality of the individual records being managed electronically. According to the LA Times, roughly 150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient’s records during a hospitalization, and 600,000 payers, providers and other entities that handle providers’ billing data have some access. Based upon the number of different ‘regular’ nurses per day (3), number of different personal care assistants per day (3), IV Therapy nurses (2), surgeons (3), doctors form my local clinic (4), nutritionist (1), etc., and you get the idea. Of course there was no personal confidentiality as a lie there in my johnny exposed as required with twin IVs running out of my arms. The six minute hit between morphine drips of one gram a pop was a hoot as I was able to legally hallucinate about weird things like identity and access governance in the form of a Blue Meanie. This just gave the staff more time to violate any shred of modesty I had left. Was the morphine for me or for them? Multiple access points over an open network like the Internet increases possible patient data interception. This hospital had 4 wireless access points (all secure or at least appearing secure – of course I didn’t go into the hospital to hack but to be hacked). The question begs, ‘Why do you need 4 different WAPs?’ Was one for the consistent and rhythmic beat of the hearts of those being monitored? Was another for nurses and surgeons to communicate? Was yet another used for IT staff backend support? Was the last used by bored nighttime staff playing a medical version of Doom whereby they hunt down hideous infections running rampant in an endocrine system? Why four? (And how did they get the funding for four freakin’ WAPs?) The organizations and individuals charged with the management of this information are required to ensure adequate protection is provided and that access to the information is only by authorized parties. Yeah, and I didn’t traverse the hallways one day with my derriere promptly presented to those I schlepped by. Somehow I don’t believe access is primary on their minds. Heck, the nurses were just issued cell phones recently, why would I presume to think access and identity management issues would run as smoothly as a new scalpel across virgin skin? I know the surgeons and nurses knew their stuff and ran a very professional operation, I wonder what type of salary is paid to security types in hospitals? I know they are considered overhead only there due to HIPAA and maybe some JCAHO requirements but I would imagine this is not their first priority. The growth of electronic healthcare records creates new issues, since electronic data may be physically much more difficult to secure, as lapses in data security are increasingly being reported. Information security practices have been established for computer networks, but technologies like wireless computer networks offer new challenges as well. Regardless, my data is flowing around this hospital in reams of records as the amount of data they had on hand during initial consultations reminded me of FOIA (Freedom of Information Act) requests and the stack of info you get back on the clearances you have had. They entered the room with a large folder with my name on it; surrounded me on three sides, and began peppering me with questions in a staccato sequence meant to work the muscles in my neck (without the aerobics music) . Anyway, there isn’t a whole lot I can do about it but I can revel in the fact that I am not there anymore; that I lost 18 pounds without binging and purging; that modesty is only a push button away from false; and that I did my part to contribute to the glut of information being stored (EMC should thank me!)