• Risk Factor
• Computing
• IT

So Much for Medical Privacy

As reported in ComputerWeekly, a UK National Health Service (NHS) primary care trust admitted that some 50 staff members viewed the the electronic records of a celebrity who had been admitted into its care. At least it wasn't like what happened to a baseball player in New York a while ago, who had over 150 hospital staff looking at his records.

It has been been argued by electronic health record advocates that medical records are more secure because you will be able to tell who had access to them, therefore this would provide a deterrent to snoops, but as the report above notes, this may be less effective than proclaimed.

On the same day as this story hit (an interesting coincidence), the non-profit group called the E-Health Vulnerability Reporting Program (EHVRP) released their 15-month study assessing the security risks associated with electronic health record (EHR) systems. Quoting from its executive summary:

â'¢ In all cases, evaluated EHR system vulnerabilities could be identified using standard tools and techniques. Subsets of these vulnerabilities were exploited to gain control of the application and access to data to demonstrate the potential consequences.

â'¢ EHR vendors are either not disclosing or inadequately disclosing system vulnerabilities to customers, preventing organizations from appropriately managing risk or implementing compensating controls.

â'¢ No industry organization could be identified that has established guidelines or practices to appropriately mitigate and manage risks associated with ehealth systems.

â'¢ No industry organization could be identified that has the responsibility, charter or mission to address security vulnerabilities in ehealth systems.

The bottom-line: there is a lot more work to do to ensure EHR security and hence privacy.