Pharma is hiding data breaches, claims UK survey
The results of the Crown Records Management (CRM) survey,
undertaken by Censuswide - comes just weeks after US pharma giant Merck &
Co revealed it had fallen victim to the Petya ransomware attach.
The new survey polled 408 IT decision-makers in companies
of between 100 and 1,000 employees across the country, and provided some
shocking results which suggest many of the UK's data breaches are going
unreported.
… Some of the
statistics for the pharmaceutical sector are below, with mixed results:
·
23 per cent have chosen not to report a breach
to more senior management or the appropriate authorities;
·
15 per cent don’t know who to report a breach to
– only the retail sector polled worse;
·
23 per cent know somebody in their company who
hasn’t reported a data breach; and
All the celebrity gossip magazines have reported on his
medical issues in great detail. What
would be the Best Practice for securing medical records. Should there be a Celebrity Level of
protection that is better than the Regular Gut Level?
Good grief. When I
saw this
headline, my first thought was that maybe OurMine had hacked the NY
Daily News, but it seems the headline was for real. Justin Bieber had reportedly sought emergency
medical care, an employee had been fired for allegedly accessing his medical
records without necessity, and somehow the press found out about it all.
How did that happen?
I have no idea whether the Northwell Health employee who
was terminated for allegedly accessing his medical records did what she is
accused of doing. That’s a second – and
important – issue, to be sure. But how
did news of this all make it to a newspaper? If the media found out about it from the legal
action the fired employee took, did the suit actually name Bieber, and if so,
did it have to? Or did the media find
out from some other source? If so, who
or what? Was there a HIPAA breach in
addition to any HIPAA breach Northwell had alleged?
I don’t know if HHS will investigate this seeming breach
given how overwhelmed they are with breaches to investigate, but I have a
number of questions I’d like answered, including:
- Does Northwell Health have logs that show whether or not the employee accessed Mr. Bieber’s records? If they do have logs, did they show the proof of their allegations to the employee and her counsel? If not, why not, and could this media circus have been avoided by the way they handled the accusation against the employee?
- Because of Mr. Bieber’s celebrity status, many systems would have additional precautions in place, such as using a fake name and “break the glass” security to further limit access to files. From media reports, it appears that Mr. Bieber may have been admitted under an alias, but what other privacy protections did Northwell have in place?
- If Mr. Bieber is named in the complaint, did Northwell Health make any motion to seal the employment complaint to protect Mr. Bieber’s privacy?
It’s possible or even likely that I may be more
concerned about this incident/disclosure than Mr. Bieber may be. As a
healthcare professional, a privacy advocate, and as a patient of the Northwell
Health System, I think all patients should be concerned by what happened to him
because a failure to protect his privacy – when there should have been
heightened vigilance to protect it – doesn’t bode well for the protection of
the privacy of us “little folks.”
So yes, I will be following this case. Northwell Health
did not immediately reply to a preliminary inquiry I sent them. That inquiry
included whether “break the glass” protection had been in place for
Bieber’s records, whether Northwell has logs/audits showing access to Bieber’s
records that demonstrate that the employee did access them, and whether the
former employee had any obligation not to reveal Mr. Bieber’s identity or
details in any employment complaint.
This post will be updated as more information becomes
available.
I have given up asking my favorite Computer Store to stop
asking me questions like: “Do you still live at …” My response of, “Yes, but you still aren’t
invited to dinner” falls on deaf ears.
No comments:
Post a Comment