"If you can login to your banking website and be confident that your money is safe, why can't your login to the intranet from outside the firewall (i.e., via extranet) and be confident that the data is safe?"
The clever folks in IS responded with a "paper blog", attaching a string of printed responses below the original question. Because the topic is so important, I thought I'd share those responses with you. I hope they will illustrate that our "obsession" with security is not intended to create roadblocks to access but stems from serious concern for our ethical obligations to our patients and our liability under the law.
Based on all of the identity theft and credit card fraud, it's hard to believe that anyone actually thinks their data is safe... If someone gets your banking or credit card information, how much do you lose? Maybe several thousand dollars? In medical ID thefts, the costs are usually tens to hundreds of times greater. People whose medical information was compromised have received bills in excess of $100K for operations and hospital stays that they did not actually receive.... The information that we are talking about here is much more valuable and more sensitive than financial data.
All that being said, we really need to provide a much better Web presence and the ability for patients to access their information and set up their own appointments.
Another poster addressed the complexity of providing secure Web access:
My bank uses a mix of AIX and Solaris to run their webservers and databases. They have partitioned databases. Web application servers do not directly access back end databases. The web applications themselves are written in Java. Finally, they have dedicated security staff that runs regular audits & code reviews and monitors web traffic & application performance.
All of that and I still don't actually trust that the site is truly secure, but they warrant that I will not be financially liable for online fraud. What will we be able to refund or un-release if PHI is stolen?
A third poster addressed PHI directly:
Kaiser Permanente lets you see your Electronic Medical Record on their Website. Are they not as serious about protecting PHI as we are?
A fourth poster thought not, citing the following evidence:
Kaiser fined $200,000 for release of PHI
Kaiser worker data breached, identity fraud reported
We in Information Systems are working diligently to find the appropriate balance between convenience and security. We hope that our customers understand that these concerns are not trivial, and we want to work with you to craft a solution that protects patients, employees, and the County without creating undue hardships for those charged with providing direct patient services.
If you have any comments to add on this topic, I hope you will share them with us.
No comments:
Post a Comment