Monday, July 29, 2013

“We didn’t bother with a contract because we’re med students, not security guys.”

Oregon Health & Science University is notifying 3,044 patients that their OHSU health information was stored on an Internet-based email and/or document storage service, also known as a “cloud” computing system.
Although the Internet-based service provider (Google Drive, Google Mail) is password-protected [practically worthless  Bob] and has security measures and policies in place to protect information, it is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information.
There is no evidence that the data was accessed or used by anyone who did not have a legitimate patient care need to view the information. [and with no logs, we can’t prove they didn’t  Bob]  However, the terms of service indicate the data stored with the Internet-based provider can be used for the “purpose of operating, promoting, and improving [its] Services, and to develop new ones.”  OHSU has been unable to confirm with the Internet service provider that OHSU health information has not been, and will not be, used for these purposes.  Consequently, OHSU is notifying all affected patients.
In May 2013, an OHSU School of Medicine faculty member discovered residents, or physicians-in-training, in the Division of Plastic and Reconstructive Surgery were using Internet-based services to maintain a spreadsheet of patients.  Their intent was to provide each other up-to-date information about who was admitted to the hospital under the care of their division.
….   “We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients.  We sincerely apologize for any inconvenience or worry this may cause our patients or their families,” said John Rasmussen, OHSU’s Chief Information Security Officer.
SOURCE: Oregon Health & Science University
Note that this is OHSU’s fifth breach that I’ve reported on this blog since 2008:
  • In December 2008, they notified 890 patients whose PHI was on a laptop stolen from an employee attending a conference in Chicago;
  • In June 2009 – also before HITECH went into effect – OHSU notified 1000 patients that their names, treatment information and medical record numbers were on a laptop stolen from a physician’s car outside the doctor’s home (subscription and login required)
  • In July 2012, more than 14,000 pediatric patients and 200 employees had data on a USB drive stolen in a home burglary; and
  • In March 2013, they reported that more than 4,000 patients had PHI on a laptop stolen from a researcher’s rental home.

What is an “adequate limit?”
Few See Adequate Limits on NSA Surveillance Program
Pew Survey -”A majority of Americans – 56% – say that federal courts fail to provide adequate limits on the telephone and internet data the government is collecting as part of its anti-terrorism efforts.  An even larger percentage (70%) believes that the government uses this data for purposes other than investigating terrorism.  And despite the insistence by the president and other senior officials that only “metadata,” such as phone numbers and email addresses, is being collected, 63% think the government is also gathering information about the content of communications – with 27% believing the government has listened to or read their phone calls and emails.”

So I can’t fly my drone until the feds give me a budget?  I don’t think so… 
Ben Wolfgang reports:
The lagging federal effort to fully integrate drones into U.S. airspace is in danger of falling even further behind schedule.
A funding bill now before the Senate essentially would stop the process in its tracks by prohibiting the Federal Aviation Administration from moving forward until it completes a detailed report on drones’ potential privacy impact.
The report, called for in the Senate’s fiscal 2014 transportation appropriations measure, would be yet another hurdle in the FAA’s already complex, time-consuming drone integration initiative.
Read more in the Washington Times.

My phone book does not record the number I called or the times of each call or the location I called from…
Rep. Mike Rogers has jumped on Michele Bachmann’s comparison of NSA bulk collection of call records to phone books:
There are “zero privacy violations” in the National Security Agency’s collection of phone records, House Intelligence Committee Chairman Mike Rogers, R-Mich., said Sunday on “Face the Nation,” just days after the chamber narrowly rejected a measure that would have stripped the agency of its assumed authority under the Patriot Act to collect records in bulk.
There’s more information in a phone book than there is in this particular big pile of phone numbers that we used to close the gap – we, the intelligence services – close the gap that we saw didn’t allow us to catch someone from 9/11,” Rogers said.
“Remember, this came about after 9/11 when we found out afterward that terrorists that we knew about overseas had called somebody who was a terrorist but living in the United States or staying in the United States,” he continued. [and we did that without the metadata database.  Bob]  “He ended up being the person that got on an airplane and flew into the side of the Pentagon.”
Read more on CBS Face the Nation.
So Rogers ignores the significance of metadata and refuses to see that the very collection of bulk call records without reasonable suspicion that the targeted individuals have done something terrorism-related is in itself a privacy violation. 

Interesting product. 
Just attach, stick or drop your Tile into any item you might lose: laptops, wallets, keys, guitars, bikes—you name it.   
The Tile App on your phone makes it easy to find your Tile(s) anywhere, anytime.

No comments: