Fifteen Kaiser Permanente employees were recently fired and another eight were reprimanded for accessing the medical records of Nadya Suleman, better known as the "Octomom." The employees all worked at the Bellflower, Calif., facility when the octuplets were born. California, along with several other states, has laws protecting the privacy of patient health data.
The U.S. government wants to make all of our health records available in electronic format. In fact, President Obama allocated $19 billion for this project in his stimulus plan. The idea is that by making our records available electronically, it will raise health care quality and lower its costs.
The only groups to benefit from this are the insurance companies and the health care tech companies that sell software-based practice management and patient-record systems to doctors and dental practices. This is a red flag, a challenge, a taunt to hackers to attack our systems and steal this data. But I digress.
I worked for a company that manufactured medical devices, a large regional health care insurance provider, and a very large national health care provider, so I know a little bit on the subject. The type of incident at Kaiser falls under several security categories including data loss prevention, privacy, HIPAA, data security, network security, the list can go on and on.
Call it whatever you want, but at the end of the day, it was an internal breach. More than likely, the people that viewed the data had access to it for legitimate purposes. I know I have said this several times in my blogs, but this type of attack is very difficult to protect against because it came from the inside. Whether it's financial data or personal health care records, the following guidelines, at a minimum, should be used:
- Whether data is used internally or sent externally, encrypt all data.
- Use the best practice of least privilege. Who needs access, at what level, and why?
- Review access rights on a regular basis.
- Don't use production data in your development/test environment.
- Use a firewall when critical data is involved.
- Use intrusion detection and intrusion prevention.
- Adopt a data loss prevention program.
- Protect backups (onsite and offsite).
- Monitor, audit and report.
I believe Kaiser took the right action. We need to make people in trusted positions accountable for their actions. Technology alone can't protect you against an internal breach.