This report surfaced this past week.
ok .. so .. the report isn't available, but the execurity summary is there.
It's not clear to me what motivated the authors to write the report, but th eemphasis is clear – that they found security problems in electronic health records.
This is no surprise. People do break in to systems regulary. But it's not necessarily teenage geeks hacking in to see grandma's mammogram. From sticky notes on hospital CRT monitors with usernames & passwords … to support calls for "password reset requests," people get into systems every day that the shouldn't get into.
But the human factors may be more important than the technical ones – and the report referenced above (ok . the summary of the report) doesn't give us any references or data on the sources of the security breaches.
Indeed, at one of our local hospitals – I called the IT department a few weeks ago because my password had timed out. The support person asked me to identify myself – and promptly reset my password – telling me the new one – and pleasantly wishing me a good day. Despite the security practice at this hospital that requires the support person to validate my identity somehow, customer service "won" – while the security of the system was potentially compromised.
It's complicated. Kaiser Permanente's system isn't so secure. And as this report (scroll down) outlines, insecure passwords, sticky notes, unsecured wireless, and shared accounts represent an enormous number of commonplace risks.
But even with such risks – and others – it's clear to me that electronic records, with locking, logging, and (some) security – are vastly more secure than a pile of paper on a desk/shelf etc.