The #1 Bermuda Triangle of Patient Privacy – debunking patient data loss

Saturday, January 05, 2013

Danny Lieberman

959779642e6e758563e80b5d83150a9f

In this first part of a series devoted to demystifying patient privacy, Danny Lieberman, founder of Pathcare, the private social network for doctors and patients, challenges our assumptions about the actual damage of patient data loss.

Patient data loss is a lot like planes disappearing in the Bermuda Triangle – no one really knows where the planes disappeared to, since the people on the planes never came back to tell the story. The same way we talk about patient data loss and never really consider how you can “lose” patient data and whether it can be “returned”.

The Bermuda Triangle, also known as the Devil’s Triangle, is a region in the western part of the North Atlantic Ocean where a number of aircraft and surface vessels are said to have disappeared under mysterious circumstances. Popular culture has attributed these disappearances to the paranormal or activity by extraterrestrial beings. See http://en.wikipedia.org/wiki/Bermuda_Triangle

One of the more interesting oxymorons in the information security industry is the term “Data loss”.

Oxymora appear in a variety of contexts, including literary oxymorons crafted to reveal a paradox. http://en.wikipedia.org/wiki/Oxymoron

The paradox of data loss is that you can’t really lose data. You can have an unauthorized network transfer of data or lose a copy – but the data itself is never lost.

You can copy patient data sets from one host machine to another host machine. You can copy data from network storage to a flash drive and lose the flash drive when it falls out of your pocket walking on the street, or you can lose a hard copy paper report of patient data while traveling on the train to work.  This is more of a case of preventing employee stupidity than preventing data loss.

There is only one case where data is really lost and that is a hard disk crash with no backup. In this day and age of highly reliable disk drives, disk controllers and cloud backups, it’s a rare event; I challenge you to remember the last time you had data totally lost due to a hardware crash with no backup at all.  If you have professional information security support in your hospital or medical practice – you won’t be losing data due to hard drive crashes.

I can see 4 scenarios where there is a paradox with patient data loss – that is to say, patient data that was copied from Point A to Point B and no detectable damage was incurred. If no damage was incurred then why are we concerned?

For the sake of discussion, we’ll continue to use the impossible term of “data loss” instead of “data copied somewhere” which seems to be confusing.

We  challenge the widely held notion that a patient data loss event is damaging to patient privacy and will show with concrete examples that data loss is not always an event with real damage to patient privacy.

Patient data that was really lost

A hospital employee carries paper records with PHI and forgets his briefcase with the papers on the train. If no one can find the data, it follows that there was no breach of privacy, is there? The HHS is concerned for sure – but it is a security event with zero impact.

Patient data that was probably lost

A healthcare provider discovers during their yearly security audit  that 9 months previously, patient data records were file transferred on a high numbered back port to an unidentified server in cyberspace which didn’t exist at the time of the security audit. If no one knows what was done with the data, it is impossible to calculate the impact of the data breach after the fact. (Note that the HIPAA Security rule opens with item §164.308(a)(1)

Security Management Process §164.308(a)(1)(ii)(a) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.

Read about the Tao of risk management and you will understand that an accurate and thorough assessment of threats and potential damage will lead you to cost-effective patient data security countermeasures.

Patient data disclosed to a unauthorized person for the right reason

A nurse gives a caregiver patient data (the patient is the girl friend of the caregiver) in order to help the caregiver monitor medication and compliance with the treatment plan. Legally – this is a patient data privacy breach – but practically, it’s good medicine and good medical ethics since the data is in good hands and for a good cause.

Crowdsourcing patient data for a cure

A patient has a cancer and doctors are pessimistic about a cure. The patient open-sources all of his medical records on the Internet. This is the approach that Italian engineer Salvatore Iaconesi took when he was told that the only option was high risk brain surgery with limited chances of success.

Iaconesi took all of his private medical records, reformatted them, and published them online, asking for the opinions of as many experts as he could possibly find.His website – Open Source Cure– attracted 200,000 visits in it’s first month (September 2012). Open Source Cure enabled Salvatore to discuss his options with more than 40 doctors and medical experts from around the world, and consulting with his doctors, use several different techniques that should give him a better shot at a recovery.

I’m happy that a situation that was unlucky for me has turned into an opportunity to understand how to use technology, science and human goodwill in a collaborative way,” says Salvatore. I would like to see it ending with me coming out of hospital with my cancer cured, but I don’t expect anything. It is just good that a large amount of people are taking into account the possibility that there are other ways to do things.”

You can lose a digital or hard printed copy of data but you don’t lose the data. It’s still there.

As a matter of fact – one of the biggest challenges in data governance is storing too much data – and we’ll talk about the dangers of storing too much data in the next installment of this series of articles on the oxymora of patient data loss.

Cross-posted from Pathcare

Possibly Related Articles:
9606
HIPAA
Healthcare Provider
Data Loss Privacy
Post Rating I Like this!
Default-avatar
Stephen Cobb I must be missing something. Surely data such as the results of my spinal can disappear if the only copy is on a piece of paper or USB drive that gets shredded?

Am I'm quite sure my privacty has been violated if a doctor leaves my notes on a train and a stranger reads them. If said stranger is malicious he might try to blackmail me with test results, no?

Again, I may be missing the point.
1357691195
959779642e6e758563e80b5d83150a9f
Danny Lieberman Stephen

I mentioned the case of a single hard copy being lost.

In modern information systems, this is a non-existent use case, since the original data is on a database and backup data sets.

Blackmail is perpetrated by people who know you, not total strangers who find a piece of paper on the subway.

IF a doctor left notes regarding your condition on a train and IF a person of interest found the notes and IF the person happened to be malicious and IF he or she was able to track you down and IF you didn't call the police....

This is a criminal act, not a privacy breach scenario.

This is a such a low probability scenario that I challenge you to find even 1 reported event like that.

Now consider that you used your corporate password on an adult site, you were cyber-stalked and blackmailed.

This is a high probability event, as reported by NYPD computer crimes unit, almost 50% of their case load is cyber stalking, not people being blackmailed by strangers.

Yes - you are missing the point.

The point is that the current definition of data loss is simply incorrect and as a result, privacy regulation is misdirected at soft, low risk targets like paper instead of hard, high risk, high impact targets like cyber-stalking
1357715968
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.