Oregon Health & Science University Data Breach: Avoidable?

By: Seth A. Cowand, CISSP
Chief Information Security Officer (CISO)
Cooperative Management and Consulting (Cmac)

There are many incidents of healthcare data breaches from atypical healthcare organizations (i.e. pharmacies, medical schools, etc). What makes these interesting is their status. Does a medical school or pharmacy take the same steps that a hospital or medical group takes to safeguard protected health information (PHI) or electronic PHI (ePHI)? Maybe…maybe not!

A report about a June 2009 data breach from Oregon Health & Science University stuck out at me…but then the details of it made me think…was this avoidable? The limited information available about the incident reveals that approximately 1,000 patients’ records were stolen when “a physician's laptop was stolen from a car parked at the doctor's Washington County home. Patient names, treatment dates, short medical treatment summaries and medical record numbers were stored on the computer.” The questions that popped-into my head are: Why are these records saved on a mobile computer? What type of identification or authentication is used to login to the laptop? Does the organization encrypt the data ‘at rest’? Are there back up copies of the 1,000 records? But my ultimate question has two parts...Why is a physician taking these records home? And, more importantly, why didn’t he or she take the laptop inside the house and physically safeguard it?

Security management has many tenants, but one of the primary ones is risk management. How do organizations, their employees, their managers, and ultimately their customers (i.e. patients) manage the risks associated with PHI and ePHI security and privacy? If a comprehensive approach is implemented, the answer is they use a Layered Security (commonly called Defense in Depth) approach. What this means is there is no single layer (point of failure) for safeguarding the confidentiality, integrity, and availability of PHI or ePHI. Another tenant to risk management is the organization or its respective decision makers having the authority and responsibility to ‘accept certain risks’. I provide the following analysis (based on what is publicly available) by pairing the concept of risk management and the Oregon Health & Science University data breach together.

It appears that either Oregon Health & Science University does not have policies, procedures, and training (PPT), or does not have enough enforceability (adequate PPT) that implement a ‘culture of security’ to influence the respective physician to think about the security of the physical laptop and the associated data stored on the laptop. According to the Federal Trade Commission (FTC) the most effective steps one can take to avoid a data breach is having a well trained workforce. I am going to give the University a benefit of the doubt on its safeguard of ‘user access’ to the laptop and presume that a strong identification or authentication scheme is implemented, and to presume that the data stored on the laptop is protected by a strong encryption algorithm. I do not know this, but I am more hoping this is the case than anything else. However, I do have my doubts about why the respective physician left such a sensitive laptop in his or her vehicle. Physically safeguarding the laptop in the residence provides at least one more layer of security that a nefarious individual has to overcome to gain access to the laptop and protected data. This is not the first data breach resulting from a stolen laptop, and I am confident it won’t be the last. As computers become smaller, faster, and more mobile, and as physicians and organizations are pushed to become compliant with electronic medical record regulations, the more the patients’ privacy and security of the most sensitive data an individual has is at risk.

Was this avoidable…you decide!

For further information please visit www.cooperativemac.com

References:

http://www.privacyrights.org/ar/ChronDataBreaches.htm

http://datalossdb.org/incidents/2113-patient-names-treatment-dates-treatment-summaries-and-medical-record-numbers-of-1-000-on-stolen-laptop

http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf