

Health Service laptop goes missing with over eight million patient records - EwanToo
http://www.v3.co.uk/v3-uk/news/2079023/nhs-laptop-goes-missing-million-patient-records?WT.rss_f=Phil+Muncaster+-+V3.co.uk&WT.rss_a=NHS+laptop+goes+missing+with+over+eight+million+patient+records&utm_source=twitterfeed&utm_medium=twitter

======
dspillett
And _still_ , even after all the accidental loses of data from the MoD, the
NHSand the banks, people who hold sensitive data don't setup laptops
containing data like that with decent encrypted filesystem setups...

OK so that isn't a perfect solution (the user could keep their passwords on a
bit of paper clearly marked "passwords" in the laptop's bag, if the user loses
their passwords the data is lost to them (unless a multi-key system is used
and the IT dept keeps their own key so they can reset the user's access,
though that probably requires the user sending the laptop into central IT for
a time), data could still be emailed out to insecure places by the user, and
so on) but it is a _far_ better situation than leaving the data unencrypted on
the easily liftable device.

It really does surprise me that after the last five or more years a proper
encryption regime isn't mandated on laptops holding such data.

~~~
arctangent
I work for a very-well-known-and-frequently-mentioned-in-the-press
organisation in the UK healthcare sector and I can assure you that everyone
here has encrypted laptops.

In many ways it's a pain in the ass, because almost exactly none of us will
ever use Patient Identifiable Data but we have to put up with machines that
run much slower than they should due to the on-the-fly encryption. We're also
physically incapable of burning CDs/DVDs or using USB sticks etc.

------
leeHS
Who exactly designed a system which allows a single laptop to store this many
records at once? I could see couple of dozen or so at a time, even a hundred,
if a doctor wants to download all his patient records for the week. But 8
million on one laptop? I don't even know what to say.

~~~
CWuestefeld
Based on my knowledge of what my wife does for a living, securing a hospital's
reimbursement from Medicare/Medicaid, I think I can make a pretty good guess.

It's a single person, or small department, using some off-the-shelf tool like
Excel or Access to massage data into the format necessary to integrate it with
one of the various third parties that must process it in order to get full
reimbursement while ensuring compliance with regulations. The problem itself
demands that huge amounts of personal data are gathered together, and the way
the system works generally forces it to be handled by a regular person, on
their workstation.

Obviously this data needs to be shared with the payor (e.g., Medicare). The
thing is that the reimbursement regulations change _constantly_ (not just
every year or something, but literally weekly in the Federal Register), and
changing regulations demand different reporting procedures and formats. The
constantly-changing nature means that it's not a very good candidate for
automation: every hospital (and every other healthcare provider) would need to
have IT staff constantly active addressing changes, or at the very least,
providers of hospital ERP/records systems would need to be constantly
addressing changes, and hospital IT would need to constantly be integrating
software updates.

And it's not just the payor that's a problem. There are countless third
parties that communicate this data. Because cases are handled as cases rather
than people, when a case is transferred to another hospital, or sent out to a
specialist, that must be tracked. But frequently it's not the hospital doing
the checking, it's the patient himself that checks himself out and goes to
another hospital. That means that hospitals are constantly downloading
Medicaid records to cross-check against their own data, and negotiating with
other providers to determine who gets "credit" for the cases. Since all of
these third parties have their own systems, and the number of combinations of
transfers between providers is astronomical, the communication of this data
tends to turn into one-off projects, demanding that a human compile the data
in a way that both sides agree to.

So it appears that part of the need to keep human hands in heaps of personal
data, is driven by the nature of our healthcare regulation.

(I know the article is written about the UK, but I'm assuming that much of
what I've said generalizes across the ocean)

~~~
HN_Addict
I can second this with my knowledge of what my mother does for a living.

The hospital inputs their data into Epic medical software. The home care
agency tracks their data in an 80,000-line Excel spreadsheet (less than
8,000,000, which is good, right?). My mother copies down the name and other
personal identifiers like insurance numbers from the Excel spreadsheet, counts
(with the end of a pen on the screen) the number of billable visits, and
enters this _by hand_ onto a printed form which receives minor changes as you
noted. She then collates these forms into stacks for various insurance
agencies, and faxes the piles to the appropriate numbers. She's an RN, has 20
years of experience, and this is what they pay her to do?

Oh, and her password for remote login to do this from home was (until last
week when she told me because I was talking to my sister about password
strength) literally abc123. This was the default set by the IT department
about 2 years ago.

I will never work in medical IT due to real-life horror stories like this.

~~~
pavel_lishin
> I will never work in medical IT due to real-life horror stories like this.

I'd wager that there are real-life horror stories like this for just about any
industry - they happen whenever non-computer-savvy people meet computers.

------
theBobMcCormick
Why the hell do organizations keep putting this kind of sensitive data on a
laptop?

Even if your process requires someone remote from the office to work with the
data in desktop tools like Excel, etc., it seems like it'd be good sense to
require them to do it over a Terminal Services or Citrix connection to a
secured server.

