Keeping the Lid on Sensitive Data
by David Sklar
If a US-based employee disclosed confidential patient data in a back-pay dispute, they'd be in big trouble, whether or not they had a valid pay gripe. But the long arm of US law doesn't extend so easily to Pakistan, where this incident happened, or plenty of other overseas destinations for medical transcription outsourcing.
As a chain is only as strong as its weakest link, a privacy or confidentiality regime protecting data is only as strong as the flimsiest, most disclosure-prone access to the data. In this case, an underpaid and mistreated (or wily and greedy, depending on who you believe) person not accountable to US law provides an extremely weak link in the medical privacy chain.
I've idly wondered if working as a custodian at a software company can get you a lucrative sideline as a pirate software distributor -- bring a FireWire DVD burner to work with you and take home some goodies. There are a lot of people in the "chain of data" that are sometimes just looked at as furniture by the "professionals" who are "really" working with the data. In the UCSF case, doctors record gobs of dictation and then, a little while later, it shows up all typed out. Do they care if it took a trip around the world in the process?* Software developers go to work every day and find the floor vacuumed.** Are they concerned about who cleaned up and restocked the kitchen with Jolt? Who changes the lightbulbs in Experian's data center? Lots of juicy data there.
Once we realize all of the people that really do have access to very sensitive data, we can treat them appropriately (and scrutinize them properly before such access is granted).
* Many doctors may in fact care, I don't mean to categorically malign them. Multiply subcontracting administrators seem to have been the problem in the UCSF case.
** I realize it is likely that some developers are familiar with the custodial folks since the developers are cranking away when the custodians show up at midnight.
What are the weak spots in the data chain that you worry about?
Criminal Acitivity at HMO Computer Center
About one hour before I was scheduled to look for irregularities in an HMO's computer systems, a gunman fired a sawed-off shotgun in my general direction. A few weeks later, the first of many explosions was set off in a building where I was, across the street from one of the Kaiser Permanente hospitals. I received death threats and was subjected to intimidation by the HMO's own employees to discourage me from talking to auditors. One of them intercepted copies of a report I had prepared, tore off pages, lied to me about it, and hindered notifying others of the situation. This specific report included a warning of problems at Kaiser involving hospitalization and billing discrepancies.
Following these incidents, a Kaiser supervisor accurately described me as a "walking hostage," the Personnel Department told to take a different route to work daily and to buy a nondescript car which could not be singled out in traffic. A Kaiser manager described one person who was intimidating me as being so dangerous that she had to be under 24 hour surveillance. Two police cruisers were parked near my residence, twenty-four hours daily for about two weeks, which did nothing to stop ongoing intimidation.
I have opened a home page devoted to my encounters with criminal activity at work. My home page also deals extensively with healthcare computer systems.