Sunday, September 03, 2017

It couldn’t happen here, could it?  Sounds like I should have my Computer Security class conduct a survey.
Pharma is hiding data breaches, claims UK survey
The results of the Crown Records Management (CRM) survey, undertaken by Censuswide - comes just weeks after US pharma giant Merck & Co revealed it had fallen victim to the Petya ransomware attach.
The new survey polled 408 IT decision-makers in companies of between 100 and 1,000 employees across the country, and provided some shocking results which suggest many of the UK's data breaches are going unreported.
   Some of the statistics for the pharmaceutical sector are below, with mixed results:
·         23 per cent have chosen not to report a breach to more senior management or the appropriate authorities;
·         15 per cent don’t know who to report a breach to – only the retail sector polled worse;
·         23 per cent know somebody in their company who hasn’t reported a data breach; and


All the celebrity gossip magazines have reported on his medical issues in great detail.  What would be the Best Practice for securing medical records.  Should there be a Celebrity Level of protection that is better than the Regular Gut Level? 
Good grief.  When I saw this headline, my first thought was that maybe OurMine had hacked the NY Daily News, but it seems the headline was for real.  Justin Bieber had reportedly sought emergency medical care, an employee had been fired for allegedly accessing his medical records without necessity, and somehow the press found out about it all. 
How did that happen?
I have no idea whether the Northwell Health employee who was terminated for allegedly accessing his medical records did what she is accused of doing.  That’s a second – and important – issue, to be sure.  But how did news of this all make it to a newspaper?  If the media found out about it from the legal action the fired employee took, did the suit actually name Bieber, and if so, did it have to?  Or did the media find out from some other source?  If so, who or what?  Was there a HIPAA breach in addition to any HIPAA breach Northwell had alleged?
I don’t know if HHS will investigate this seeming breach given how overwhelmed they are with breaches to investigate, but I have a number of questions I’d like answered, including:
  1. Does Northwell Health have logs that show whether or not the employee accessed Mr. Bieber’s records?  If they do have logs, did they show the proof of their allegations to the employee and her counsel?  If not, why not, and could this media circus have been avoided by the way they handled the accusation against the employee?
  2. Because of Mr. Bieber’s celebrity status, many systems would have additional precautions in place, such as using a fake name and “break the glass” security to further limit access to files.  From media reports, it appears that Mr. Bieber may have been admitted under an alias, but what other privacy protections did Northwell have in place?
  3. If Mr. Bieber is named in the complaint, did Northwell Health make any motion to seal the employment complaint to protect Mr. Bieber’s privacy?
It’s possible or even likely  that I may be more concerned about this incident/disclosure than Mr. Bieber may be. As a healthcare professional, a privacy advocate, and as a patient of the Northwell Health System, I think all patients should be concerned by what happened to him because a failure to protect his privacy – when there should have been heightened vigilance to protect it – doesn’t bode well for the protection of the privacy of us “little folks.”
So yes, I will be following this case. Northwell Health did not immediately reply to a preliminary inquiry I sent them. That inquiry included whether  “break the glass” protection had been in place for Bieber’s records, whether Northwell has logs/audits showing access to Bieber’s records that demonstrate that the employee did access them, and whether the former employee had any obligation not to reveal Mr. Bieber’s identity or details in any employment complaint.
This post will be updated as more information becomes available.


I have given up asking my favorite Computer Store to stop asking me questions like: “Do you still live at …”  My response of, “Yes, but you still aren’t invited to dinner” falls on deaf ears. 

No comments: