I just read another data theft article. The Seattle Times reported Patients’ information stolen in 3 thefts. This time backup tapes (which I warned about in an earlier post) were left in a personal vehicle which was broken into. I can’t tell you how many times I’ve walked around in a hospital or provider parking lot and seen medical record folders sitting in physicans’ cars. That’s bad, but thieves (if they broke in) could only get a few records at a time. Breaking in and grabbing backup tapes, though, nets thousands of records with very little effort. The Providence example (from the Seattle Times story) is neither new nor unique — backup tapes are carried in personal vehicles by IT people thousands of times a week all over the country.
In case you’re not already aware, I thought it might be illustrative to show how businesses send $10,000 in cash versus some hospitals send potentially hundreds of thousands or millions of dollars worth of patients’ medical and financial data backup tapes. Here’s the difference:
Cash is carried in an armored truck.
Medical data and customer financial backup tapes are carried in the same vehicles as flowers and candies!
Is it just me or is something not right here?
I’ve worked for many years in DoD research centers dealing with classified information and it worries me that many businesses and hospitals don’t treat their customer, patient, and financial data just like we used to treat classified information: as extrememly valuable with the appropriate checkin/checkout/hand off procedures. Law enforcement treats evidence using a “chain of custody” model where everything is tracked as information and evidence moves from one person to antother.
Is there any reason why we in healthcare can’t use tried and true methods like intelligence and law enforcement agencies use to protect backup tapes? Only if we don’t care.
At some point our patients will wake up and starting asking us about our policies. I’d suggest we get our act together before then 🙂