THERE IS NO REASON TO CARRY AROUND ELECTRONIC HEALTH RECORDS, ESPECIALLY NOT IN BULK.

Many stories have been published about breaches in EHR security, hospitals hacked, USB sticks lost, laptops stolen. During the almost 3 years that I am maintaining this news page I did not pay much attention to it as I am convinced that security problems during the paper days were more frequent and much more common. Files got lost in the mail, were found in dumping places, were accessible to anyone with a key to the storage room (if locked at all; or in a storage room, for that matter).
There is no question about it, electronic storage is, in principle, much more secure. Ok, the banks don’t tell us how often they have to deal with “burglary”, but I still feel my financial details are quite safe with them. You can protect them more easily, make access far more safe, and you don’t have to schlepp them around. I do not carry all my financial details in my pocket (not even in an electronic form), I have easy, but secure access to them wherever there is an internet connected computer. I agree, if it goes wrong, it is like a plane crash – the most secure way of traveling, but when something happens, the number of people concerned is often enormous.

But this weekend a story was published that even did stop me in my tracks for more than a second. Laptops containing medical details of Birmingham patients stolen. Once again, what’s new. Well a couple of things that are incomprehensible.

Surgical firm Trulife used by four hospitals – Birmingham Children’s Hospital, City Hospital, in Winson Green, Sandwell Hospital, in West Bromwich, and Rowley Regis Hospital – has revealed that three computers have been taken. [In March 2006, March 2007 and February 2008].

Although the laptop in question was reported stolen on the February last year, Trulife did not discover that the laptop held data about Sandwell and West Birmingham Hospitals NHS Trust patients until October.

Alan Taman, of Birmingham Children’s Hospital, said: “Trulife informed us at the end of May about the potential loss of data related to our patients.”

This is an accumulation of negligence that I would like to call criminal. If the story is correct:

• the hospital and therefore the patients were informed for one of the cases almost 4 years after the fact
• the firm realised in October 2008 that patient data were involved (for the theft 8 months earlier, no mention when they realised about the 2 previous ones)
• although the firm made that realisation in October 2008, it took them till May 2009 to inform the hospital

But there is more to it:

A Trulife spokeswoman said although the laptops were password protected they had not been encrypted, and only contained “basic information” of name, address, date of birth, hospital number and orthotics appliance prescription.

NOT ENCRYPTED. If I were one of the over 7,000 patients in this case, I would sue them till the European supreme court.

But, far more important, what in &%$*(? name is the reason for putting EHRs on a laptop in the first place?

The reason why we developed EHRs was to make sure that you could access them from any possible place so these records would not have to move in any physical way for any possible reason.

THERE IS NO REASON TO CARRY AROUND ELECTRONIC HEALTH RECORDS, ESPECIALLY NOT IN BULK.

Sorry for yelling, I can’t stand stupidity.

Lodewijk Bos

30 August 2009 | Categories: Blog.
You can leave a response, or trackback from your own site.
If you appreciate our news pages, don't forget to subscribe!