Thursday, December 27, 2012

Identity Theft? How about Medical Data Theft?

December 26, 2012, 10:03PM

University of Michigan Health Systems Admits Patient Data Stolen

Some 4,000 University of Michigan Health Systems patients had their medical data compromised last month when hospital equipment was stolen from a vendor's vehicle.
That medication management provider, Mountain View, Calif.-based Omnicell, admits it violated both its own and UMHS hospitals' data storage policies when it left patients' demographics, medication regimes and admissions records on an unsecured device that was stolen from an Omnicell employee's car on Nov. 14.
The stolen data did not contain personal identification such as addresses, phone numbers, Social Security numbers or financial data, according to The Detroit Free Press.
Impacted patients were notified by letter beginning last week, the report said.
The UMHS theft is just one in a long line of hospital data security breaches this year, many the result of missing or stolen devices or discs that held patient data.
Yesterday, in an ongoing series, the Washington Post published a report, a year in the making, on the health care sector's vulnerability to hackers. One reason may be health care data security laws, such as security and privacy provisions in HIPAA, have not kept up with technology and (sometimes outdated) software is left unpatched.
"Security researchers are starting to turn up the same kinds of trivial-seeming flaws that earlier opened the way for hackers to penetrate financial services networks, Pentagon systems and computers at firms such as Google," the report said.
In one example of lax security practices, a University of Chicago medical center used an unsecured Dropbox account and single username and password (published in an online manual) to manage patient care via residents' iPads.
The risks go beyond identity theft and fraud. In recent years a security researcher known as Barnaby Jack has demonstrated how insulin pumps and pacemakers could be controlled wirelessly to remotely send lethal doses and voltage to patients.

My opinion:
I know HIPAA laws are a big deal, but I feel like thieves are not usually after a patient's confidential medical history.  Identity theft and fraud makes more sense to me, but I had no idea that people could be killed by means of wireless instruments!  It looks like the hospitals need to upgrade their technology and perhaps even their policies - I think this is the fourth or fifth time I've heard of records being stolen from somebody's car!  I've even heard that hospitals often stores one patient's records in the files of another patient!  Maybe computer engineers will be working more on enhancing the online record system in the future.  Feel free to comment.

No comments:

Post a Comment