This seems innocent enough:
Of course, that laptop:
- Runs Windows
- Has unused USB and Firewire ports
- Has active WiFi networking
- Doesn’t have a screensaver timeout
- Was left alone with a patient
- Is not locked
I mentioned to my doctor that, if I were of malign intent, I would now have complete control of every PC on their network. That didn’t make much of an impression, as the same thing happened on my next visit.
Of course, moving to electronic records makes a lot of sense, but if you think they’ll be any more secure than any other online personal information, you’re wrong.
The Smell of Molten Projects in the Morning 
I’d say having no electronic record at all and administering a wrong drug (one you have allergy on for example) or having no electronic record and losing all your paper records moving from one practice to another ( happened to me some time ago) is much more detrimental to your health than allowing someone with no authorization to see your record. We are living in an ever more tolerant society where people share all sorts of minute details about them on FB without thinking for a second. Seems like electronic medical records are still far less available and far less damaging to your privacy than some of the photos from a night out (with each participant identified on the photo either manually or even automatically in the future) you may come across on FB.
That said, I don’t care who looks at my record but I would be really concerned if just anyone can change things in there.
The other side of that: whatever’s recorded in digital format is the truth from then on. With a badly handwritten record, you can determine the drug name seems ambiguous, but with a nice clean digital record there’s no doubt about it… even if it’s wrong, that’s what you’ll get!
These machines are far more locked down then they appear. You can’t judge a book by its cover. You can’t assume security or lack thereof by seeing it’s running Windows, or that it’s hooked up to the net like your average home PC. These machines aren’t running stock/OEM Windows straight from Lenovo. Securing PCs for use in public spaces (regardless of OS), *especially* in the medical field, is a huge ecosystem on its own, and Windows has by far the most robust security software packages out there. The wifi networks are far more secure than your average wifi. Every action taken on that machine is recorded for compliance. And the fact that your record was left alone with you isn’t a big deal. If you clicked around and got to someone else’s record, that’s a problem. But I’m guessing you didn’t do that.
Being a good hacker or an advanced computer user alone wouldn’t give you enough skills to take complete control of their network. You’d have to have intimate knowledge of that network, its computers and certificates, and the software its running. Even then you probably get nowhere in 2-3 hours (if your doctor is really far behind ;).
I’d really, really like to believe that, but the continued string of “lost” data from Big Name Firms who should know what they’re doing suggests otherwise. If a company dealing with Big Data can’t solve the security problem, then I’d say whoever leases medical records software to doctors (I’m trusting they’re not writing their own, of course) won’t do any better.
Not this time… [grin]
I gather the movement to electronic records is either mandated or strongly encouraged by the feds as a side effect of obamacare. My doctor’s office has been using them for years, but that’s an adaptation to being in a largely rural county, at the bottom of the food chain, with huge turnover. At last count, I’ve had 4 different primary care people in 6 years. The EMRs there have actually saved a lot of grief, since that gives the continuity otherwise lacking. The screen gets locked unless the pro is on the computer, so that helps.
My dentist’s office is switching to EMRs, and it’s greatly increased the workload for the hygienists and dentists. Not a lot of happy people there (quite a contrast to Before EMR). Having to redo the patient information for each patient since the change isn’t making for happy customers, either.
FWIW, any medical office is at risk of a HIPPAA violation and corresponding huge fine if/when they do get hacked. Doesn’t look like a good year to be in the medical profession. [sigh]
The former, I think, if you want to get in on the action.
One unanticipated side effect seems to be that sole practicioners are closing up shop, as they simply can’t afford the IT burden. Our GP joined a group practice, but from what she says, a good deal of job satisfaction has vanished over the last decade or so.
I think Heinlein’s Razor to be appropriate*, especially the part following the word “but”.
Just because you’re paranoid…
* See Wiki if necessary, probably slightly more relevant than Hanlon’s or Napoleon’s versions.
Sorry, but this is EXACTLY what I do for a day job. Let’s just say exactly what you saw is typical, maybe even best case scenario. Sorry, but it’s your public duty to report http://www.hhs.gov/ocr/privacy/hipaa/complaints/
While I’d love to tell you the story TIm is correct and there may not have been obvious security, remember I audit these idiots daily. A close friend is in the security division of a major University hospital. There was an argument with a doctor over requiring a provided smartphone with a password. The doctor said, I cannot have a password on this device, I use it to run my personal business on the side. They did not fire this person on the spot. It has to stop somewhere, don’t let this continue.
Seriously, report the violation! This is FEDERAL LAW.
The catch being, of course, that having pointed out the (observed, possibly nonexistent) security issue to our doctor, having The Feds swoop down on the practice from a great height definitely isn’t going to improve my health care experience one little bit.
In fact, the next time I’m, uh, confronted with the Blunt Finger of Inquiry could be an unpleasant experience… [wince]
I have another appointment in a few months and, if I’m left alone with an unlocked laptop, I’ll poke around.
“I have another appointment in a few months and, if I’m left alone with an unlocked laptop, I’ll poke around.”
Please, don’t do that. Just touching the keyboard is asking for problems. Given a good lawyer, they might get you off but the experience would cost you time, money and reputation. On other words, 2 wrongs don’t make a right. They can get fined, you could go to prison. Yes, dumb how that works out, but that’s the law. They are required to protect the data and apply mandatory security controls but that just results in fines. Touching the laptop with intent to poke around is tampering, regardless if they provided the mandatory warning notice of what the systems contains and who is authorized to access results in you breaking some laws that could land you in the trouble with not just the local, or state, but even federal law.
Again, sorry for harping but I hate to see anyone get caught by the trap. Just touching the keyboard is a bigger legal offense than them not providing the security.
Point taken. I’ll give it a hard look… and run it up their flagpole first.
http://ypdcrime.com/penal.law/article156.htm#p156.05
Unauthorized use of a computer is a class A misdemeanor.
Computer trespass is a class E felony.
Class A is 1 year
Class E is potentially 4 years
They could easily get you on either of those just for touching a computer if it was powered and on. If they logged any snopping around the network, certainly that pushes it into “trespass” with some intent.