Medical Records Access Report Too Burdensome

On May 31, 2011, the Department of Health and Human Services’ (HHS) Office for Civil Rights proposed a new rule recommending that patients have the right to ask for a report on who has accessed their medical records. The recommendation has been out for public comment since that time.

A number of healthcare organizations including the Medical Group Management Association (MGMA), the College of Healthcare Information Management Executives and the American Health Information Management Association are asking the Department of Health and Human Services’ Office for Civil Rights to reconsider the access report requirement.

The reasons given give are:

Few patients request such information and it would cost too much to add that feature to every system. 55% of 1,400 physicians surveyed stated that they had not received such a request in the past year.
MGMA contends the access report proposal could do more harm than good. There is concern that the proposed rule could serve as a “disincentive” for adoption of Electronic Health Records.
There was also concern about compromising the privacy of the health care professionals,  particularly Mental Health care providers who sometimes use pseudonyms “to avoid patients stalking or contacting them outside the workplace.”

The recommended solution is for the patient to provide a list of specific names to determine whether those individuals have or have not accessed the patient’s information.

The HHS is accepting comments on the proposed rule till August 1st.  Apparently, they will have a number of positions to reconsider before they find the right balance of cost effectiveness and protecting the privacy rights of both patients and clinicians.

SSL Hero: Moxie Marlinespike

At Defcon, I aquired a new tech hero.  Defcon is all about finding vulnerabilities.  The glory goes to the most creative and most damning hacks.  I’m not condemning hackers.  I think the world is more secure because of them. But it bothers me that all the glory goes to breaking in, but there is no glory in fixing or protecting.

Moxie Marlinespike has been breaking SSL for years.  SSL is the technology behind the padlock icon in your browser. In school I marveled at SSL’s protocol. To me it was like an armored truck delivering my internet traffic.  Moxie broke that perception for me years back with his many discoverys of how to get around the armored truck.  In particular his SSL-strip presentation at blackhat rocked my world, (and it still has the potential to rock your bank account).

Not content with exposing the weakness of SSL, Moxie wants to fix it.  At defcon he explained the problems with certificate authentication and proposed a fix: convergence.  It changes the way we establish trust in certificates.  Here is his explanation of the problem.  Here is his proposal to fix it.  It’s a real solution.  You can try it on firefox today.  If you want to be part of the solution you could host a notary.  Here is a write up on the sophos blog.

So this is for Moxie, the SSL-Hero, more than a hacker, he finds the problems and fixes them.  No offense to hackers, they find the holes.  No offense to developers who create fix the holes.   But it takes a super hero to find and fix.

By |August 30th, 2011|General|0 Comments|

HealthCare Providers Need IT Security Training

It appears that the health care industry lacks understanding of basic information technology security. Dr David Lee Scher, MD, just wrote an article for the Healthcare IT and Technology blog outlining five things healthcare providers should know about electronic health care record security. From his article, it is obvious that health care workers could use some IT security training.

Here are some of the problems he described.

30% of physicians did not use antivirus on their office computers.
34% of physicians offices did not have network firewalls.
The Inspector General of the HHS Office for Civil Right inspected 7 hospitals for HIPPA compliance and found that although ALL of them had implemented some policy and rules to protect EHRs, None had implemented sufficient controls to adequately protect patient privacy. Common violations were improper disposal of printed records and leaving computer screen on and unattended.
Most EHR systems date and time stamp all entries, these entries are permanent records and cannot be deleted, just corrected so healthcare providers should be careful about what they put in the record. The entry log may be audited by the practice or IT manager , as well as attorneys during discovery.
Most breaches of privacy data, do not come from “Hackers” but from improperly stored or lost data from individual not following hospital security protocols.

Data Security is the responsibility of everyone in the hospital or the doctor’s office. All staff should be fully aware their role and responsibilities in keeping private patient information safe and secure. Like anyone else who works with Information Technology, healthcare providers should have annual security training and be aware of the consequences for not following the protocols.

You can read Dr. Scher’s blog at

Privacy by Design or Redesign—a new International Standard

Dr. Ann Cavoukian, Privacy Commissioner of Ontario, Canada, is recognized as one of the leading privacy experts in the world. She has been working with a concept called Privacy by Design for over 20 years. The idea is that Privacy should be designed into systems from the beginning, not added as an afterthought. Systems designers should be made aware of privacy issues and be proactive about embedding them into the system.

Dr. Cavoukian states: “We know from the academic literature that whatever the default condition is, that condition rules 80 percent of the time. I want that to be privacy. By default, I mean it is automatically available to the user without them having to ask for it. It’s embedded; it’s built into the system.”

Once a year, there is an annual international privacy commissioners and data protection regulators conference, usually in Europe. Last year, the conference was hosted in Israel where the privacy commissioners unanimously passed an international resolution making Privacy by Design an international standard.  The standard is now being adopted worldwide, in not only Canada and the EU. The Federal Trade Commission has made it one of its three recommended practices. Senators Kerry and McCain recently introduced a commercial bill of privacy rights which uses language taken directly from the Privacy by Design standard for the first time.

Privacy has become a recent “hot topic” due to what seems to be endless security breaches in the health care and banking industries. To address this current state of affairs, Dr. Cavoukian has developed a new concept called Privacy by Redesign, to bring privacy into systems that are already developed. To do so, organizations need to look at the uses of data, what is permissible and what isn’t, […]