security Tag Archive

By |

Charts in the Cloud, who owns the data?

saved by the cloud... or not

When we buy a paper book or a DVD video what we are really doing is assuring access to that “content” whenever we want. If we want to read it or view it we just go to the shelf and get it. But if we can just go to the Internet and get it streamed to our e-reader we have the same benefit of ownership we just don’t actually have a physical book. But do you really own that e-book?

So how about a patient chart? We have charts stacked on shelves because we need assured access to that info whenever we need it. However if we could get the same chart info from the cloud anywhere any time wouldn’t that be just as good. In fact better as you could get the data at home or while traveling you don’t have to actually be at your office.

From a purely intellectual point of view cloud storage of digital content makes perfect sense it just seems strange and risky to us. Just as we are becoming comfortable with storing important information in the cloud another huge data breach is announced on the news. Then there is the other question. Who owns data in the cloud?

The vast majority of reported data breaches in healthcare (62%) are the result of lost or stolen computers. Not malicious hackers. That means that cloud based record storage is actually safer than storing the data on a computer in your closet. If the data is in the cloud there is no need to have the data stored on a local computer. If a burglar steals a computer out of the office that has no patient data on it there is no breach.

Data storage is just one aspect of cloud computing. What is even better but also even harder to accept is that the actual computing takes place in the cloud. We don’t have any software applications installed on our local computer we just exchange data with a big server in the sky and the actual processing of the data takes place in the cloud.

This idea was originally called ASP (Application Service Provider) and has been a wonderful but elusive geek dream for almost twenty years. Several dental management systems have been launched based on the ASP or cloud model and the early ones all failed. As have most of the general cloud based business applications. They failed for a variety of reasons including people’s distrust of the Internet and worries about the system failing.

With the new attitude, faster Internet access and just overall better systems cloud based dental systems are back. They are Curve Dental, Dentrix Ascend and PlanetDDS.

Originally published on Emmott on Technology.

Read more »

By |

Big Time Fines – HIPAA and the punitive fines that are being levied on medical and dental facilities

data-security

The ADA News reports that a North Carolina ortho clinic has agreed to pay $750,000 to the federal government to settle charges that the clinic potentially violated the Health Insurance Portability and Accountability Act (HIPAA) in 2013 by giving patient information to a potential business partner without a Business Associate Agreement (BAA).The clinic was fined three quarters of a million dollars just because they failed to execute a business associate agreement with a company that was duplicating x-rays.

There is no indication that any patient data was compromised, no patients suffered identity theft or were harmed in any way. The clinic simply failed to do some paper work.

As frightening as that is, this is worse. A medical research group has agreed to a $3.9 million settlement after an investigation determined that a stolen laptop contained the electronic protected health information (EPHI) of approximately 13,000 patients.

NOTE: The data was not hacked. It was exposed when a laptop was stolen. There is no evidence presented that the data was used in a malicious fashion or that anyone was harmed by identity theft.

The fine amounts to $300 for each of the 13,000 records that were lost.

If you lost a laptop or a thumb-drive with your 3000 dental patient records on it then an equivalent fine would be $900,000. Your liability insurance will not cover this fine. Could you stay in business if you were required to pay almost a million dollars out of pocket?

You can protect yourself in three ways.

1. Ensure that all patient data stored anywhere is stored in an encrypted fashion.
2. Do not store patient data on a local computer but keep all PHI in the cloud.
3. Get adequate insurance. (see below)

PCIHIPAA
Most dental liability policies do not cover HIPAA violations or else have very low limits. My friends at PCIHIPAA provide insurance that can cover you if you do have a data breach.

A technology risk assessment is required in order for your office to be HIPAA Compliant. A great way to get started with PCIHIPAA is to take advantage of their free assessment. Find out about any potential risks, what you can do about them and get a quote on insurance to cover you just in case.

Free Assessment

Read more »

By |

Saved by the Cloud… or not

saved by the cloud... or not

When you visit a medical or dental office in the future you won’t be handed a clip board and paper forms, all your personal and medical data will be stored on the cloud. The medical / dental office will merely request a download and all the data will be available instantly. No forms, no guessing about medications, no forgetting your last visit, no confusion about insurance.

Isn’t that great all your highly personal medical data will be available to anyone with access through the cloud!

That will be really great because we wouldn’t want out personal stuff available to any old hacker so we will have the same level of protection that people had for their nude photos or that Target had for purchases or …well maybe it won’t be so great.

As much as I love technology and see the incredible potential of cloud based data and want it to be safe and secure, clearly it is not.

As digital technology and electronic health records stored in the cloud continue to develop they generate legal, moral and philosophical questions our existing ethical framework is simply not equipped to handle.

Most of these ethical questions can be summed up as:

Who owns the data?

Patients? If you ask patients the immediate and unequivocal answer is that they do. That seems right, each patient should have control of their medical information. That is what the HIPAA privacy rules are supposed to address. Yet that is not how the system works.

Doctors? If you ask a dental practice management software company (PMS) who owns the data the immediate and unequivocal answer is that you do the doctor owns the data.
Yet again this is not how the system works.

If as a dentist I own the data, I should be able to exercise the basic rights of ownership including using or transferring the data. However current systems do not allow me to transfer the data to another dentist or to use it as I wish for analysis. Plus as a dental professional I am obligated ethically and legally to protect the data as confidential.

If I have the data but can’t access parts of it or more commonly can’t transfer parts of it do I really own it?

Public? One of the most significant benefits of large online data bases of medical information is the aggregation of data for medical research purposes. Already there have been important findings resulting in improved patient care based in data base analysis. It seems axiomatic that more data from a wide range of sources will ultimately lead to better results. That is a good thing, but.
Is it OK to use personal medical data in a study without the patient’s permission? What if the personal identifiers are removed?

Then there is the issue of privacy. The primary issue driving HIPAA privacy rules is that a patient’s information must be protected. HIPAA is not about speaking a patients name aloud in the waiting room, it is about electronic medical data and making it available to others is wrong. Wrong morally and legally. That seems to be obviously true on the surface. Our personal data should be held in confidence. But what if we choose to make it public by participating in a study? Do we still own that data? Who does; the researchers, the web aggregator or the public, as in the public good?

In an ideal world all our medical data could be accumulated in a huge national (or for that matter global) data bank. This mass of data would be used by benevolent researchers to delve into disease patterns and treatment outcomes to provide a vastly improved understanding of the human condition.

But of course in the real world we have fear, politics, hackers, bureaucrats, proprietary data bases, the nightly news and less than benevolent people.

Check out more articles on Dr. Emmott’s Blog >

 

Read more »

× Close