Privacy – eHealth’s Achille’s Heel

Various studies and surveys have consistently shown that while electronic health records enjoy considerable public support, there is considerable concern regarding the privacy of these records.  In light of these concerns, a recent Auditor General’s report on a Vancouver Coastal Health Authority system known as “PARIS” is particularly concerning.  According to an article in today’s “The Province”

http://www.theprovince.com/health/Coastal+computerized+health+system+failed+protect+confidential+records+auditor+general+says/2548058/story.html

“Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information, without VCHA even being aware of it”

I have not had time to review the report in detail nor do I know the extent to which VCHA has dealt with the issues identified in the audit.  Apparently the Auditor General withheld the report for six months to give VCHA time to respond to the issues identified in the report.

Mike

3 responses to “Privacy – eHealth’s Achille’s Heel

  1. This is a worrying trend. Is it any wonder these sorts of things happen…health IT systems are getting more and more complex, while IT budgets are frozen or reduced. What amazes me is that this sort of thing doesn’t happen every day.

    It’s not like the people who work at VCH woke up and decided to not do their job one day. At some point, the powers that be have to realize that implementing an IT system is only 50% of the issue. Adequately supporting these systems with enough resources for change management, privacy controls, proper user training, etc is, at least to me, the most important part of any IT project.

    Mark

  2. I’m not surprised.

    I call it the “glass floor” scenario. Privacy protection has a difficult time breaking through the glass floor between policy and operations. Strategic plans/executive statements/press releases all call for “privacy protection” but the operational initiatives to implement the privacy/security measures fail to deliver (or never get started at all).

    It would be interesting to hear what the CISO of Vancouver Coastal has to say about PARIS. A inherently flawed design or a fixable problem but no resources to do so? If this had existed as a problem since 2002 why wasn’t the security of the system periodically reviewed and these issues noted for resolution?

    Too bad it takes an AG report to get security flaws addressed.

  3. What a great blog, I wish I found it earlier.

    The point brought up here is a great reason against these “Big Bang” type implementations. They focus so heavily on making sure that the infrastructure is in place that they underestimate the amount of security and support that is required to maintain the system.

    Furthermore, with privacy guidelines the way they are, I simply don’t know why anyone would even try implementing a large custom solution all at once. These massive waterfall projects been undertaken throughout the nation only betray the arrogance of the designers who make them. Instead, why don’t we take bite-size chunks at the ehealth problems we have, so that both our support and security infrastructure can evolve along with it?

    EHR before EMPI? only in Canada…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s