
Breach at Stanford Hospital Exposed Data of Thousands of E.R. Patients - dekayed
http://www.nytimes.com/2011/09/09/us/09breach.html?_r=1&hp
======
siculars
This is an incredibly pervasive problem. As someone who has worked in
healthcare medical informatics for a long time I can report that errant
spreadsheets with all sorts of data are floating around in virtually every
medical institution.

Informatics in general and information security in particular are participants
still new to the table at large healthcare institutions. It will take some
time for policy to be formulated and yet more time still for it to be
implemented organization wide. I really don't know if there is any one silver
bullet here outside of prohibiting all data sharing, which, frankly is not
possible.

There are so many different electronic information systems that people need to
get data out of in all sorts of different formats, including paper, that the
only real way I see this working is for vendors to force de-identification on
export. See pioneering work by Sweeney[0] of CMU in this area. There are a
number of systems that already do this but it is not the norm just yet. Not to
mention the incalculable number of shadow systems that people use just to get
their jobs done.

The overarching problem, imho, is simply that healthcare institutions have not
adequately invested in their own internal technology teams. By and large, they
are thinly resourced and overburdened. Whatever technical leadership does
exist is simply not valued on the same level as top medical personnel with MD
backgrounds. We will only begin to see a change when medical leadership
accepts and invests in technology as an equal partner and not just a tool.

[0]<http://latanyasweeney.org/work/index.html>

