Forwarded from: Marc Maiffret <marc (at) marcmaiffret.com>
It is always funny when you hear about organizations, as critical as
medical or finance, still depending on the honor system for security.
Those lovely employee security handbooks that are to put to paper what
you could enforce through technology. But of course there is the old
tired excuse that it costs too much and is too complex to do proactive
enforcement rather than reactive policing. It is in fact true that
reactive policing is cheaper when there is no incident, but much more
costly when there is. Whether, as in this case, it be the immeasurable
loss due to negative publicly or HR and related costs of having to now
fire, hire and train new employees.
You also have to wonder whether it is only the ability to view our
medical records that is based on the honor system, or also the ability
to modify them.
-Marc Maiffret
P.S. The "quick fix" (ha!) of course, add an actually useful requirement
to all this regulation garbage that goes beyond "You will use
anti-virus" to "Your medical record system should provide mandatory
access control to patient records" bla bla bla
-----Original Message-----
http://www.mtv.com/news/articles/1583480/20080314/spears_britney.jhtml
By Larry Carroll
MTV News
March 14, 2008
LOS ANGELES -- In the song "Leave Me Alone," imperiled pop star Britney
Spears sang, "Leave me alone/ Let me live my life in peace." Now, she
might want to sing those words to the medical workers on duty during her
most recent hospital stay.
The Los Angeles Times is reporting that the UCLA Medical Center has
launched an investigation into some 25 employees who peeked at the
singer's confidential medical records during her late January/ early
February stay in the psychiatric ward. This week, the hospital began the
process of firing 13 employees, has suspended at least six more, and is
considering discipline against six other physicians who looked at her
computerized records.
"It's not only surprising," human resources director Jeri Simpson told
the paper, adding that similar firings also followed Spears' 2005 stay,
when she gave birth to her first child, Sean Preston. "It's very
frustrating, and it's very disappointing.
"I feel like we do everything that we possibly can to ensure the privacy
of our patients, and I know we feel horrible that it happened again,"
Simpson added, offering an apology to Spears. "I don't know what it is
about this particular person."
UCLA confirmed that, in an attempt to keep this breach of ethics from
occurring, officials had sent out a memo on the morning Spears was
hospitalized. The memo reminded employees that they were only allowed to
view their own patients' records and that doing otherwise violated a
federal patient-privacy law called the Health Insurance Portability and
Accountability Act.
"Each member of our workforce, which includes our physicians, faculty,
employees, volunteers and students, is responsible to ensure that
medical information is only accessed as required for treatment, for
facilitating payment of a claim, or for supporting our healthcare
operations," the memo read. "Please remember that any unauthorized
access by a workforce member will be subject to disciplinary action,
which could include termination."
[...]
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments