FRAMINGHAM (08/11/2000) - Health care officials said alleged data theft this week at a leading cancer center in Boston highlights the security issues the industry faces.
But experts also said information technology leaders face the daunting task of balancing the need for patient privacy in an industry where the flow of information can literally affect the lives of their customers. Moreover, security at health care organizations will come under increased scrutiny in coming months as federal agencies review regulations that require health organizations to protect the security and privacy of electronic information.
Officials at the Boston-based Dana-Farber Cancer Institute alleged last week that temporary worker Marlene Honore stole personal data, including the Social Security numbers and addresses of at least 23 patients. In her work as a data entry clerk, Honore had access to computer files, though the information was administrative, not medical, according to Dana-Farber spokesman Steve Singer.
The investigation prompted officials at Dana-Farber to perform criminal background checks of temporary workers and review data access policies, although they haven't decided how their information security procedures will change, said Singer.
No Background Check
Alan Paller, director of research at the SANS Institute in Bethesda, Md., said that while organizations across all industries rely increasingly on temporary workers, they don't often perform background checks on them.
"Pedophiles often get a job in an elementary school. If you're a data thief, the easiest thing is to get a job as a temp. It's a lot easier than breaking in from the outside," said Paller.
But preventing situations like the one at Dana-Farber is difficult because many people in a health care organization have legitimate access to information, according to Mitchell Morris, senior vice president and CIO at the University of Texas M. D. Anderson Cancer Center, one of the nation's top cancer facilities.
In addition to temporary workers, health care providers rely on volunteers, some of whom also have access to patient data.
The case at Dana-Farber comes at a time when health care organizations "are putting more money in beefing up their information systems" to address security issues, said William Gillespie, CIO at WellSpan Health, a not-for-profit integrated delivery network in York, Pa. That's because the industry is awaiting federal legislation that would demand that health officials pay fines or even possibly face jail time if they don't adequately safeguard patient information.
The challenge for IT leaders preparing for the legislation is to strike a balance between safeguarding privacy and ensuring that security measures are flexible enough so that caregivers aren't denied access to information in a life or death situation, said Morris.
M. D. Anderson uses homegrown software to store the most sensitive of patient data.
This enables the organization to add various levels of security so that employees can access only the information that they need to know. Morris said leading health care vendors' applications aren't yet sophisticated enough to provide such flexibility, though some can provide an audit trail of users who have accessed sensitive information.
A Closer Look
Under the Health Insurance Portability and Accountability Act (HIPAA) - passed by Congress in 1996 but not to be fully implemented until the U.S. Department of Health and Human Services outlines rules for its enforcement over the next few months - IT's role in protecting patient privacy will involve paying closer attention to addressing procedural issues, rather than technology, said health care experts.
According to Frank MacDonald, a senior manager at First Consulting Group in Long Beach, Calif., HIPAA regulations will likely require that hospitals have a chief security officer, as well as a disciplinary policy to address privacy breaches.