Forwarded from: Marc Maiffret <marc (at) marcmaiffret.com> It is always funny when you hear about organizations, as critical as medical or finance, still depending on the honor system for security. Those lovely employee security handbooks that are to put to paper what you could enforce through technology. But of course there is the old tired excuse that it costs too much and is too complex to do proactive enforcement rather than reactive policing. It is in fact true that reactive policing is cheaper when there is no incident, but much more costly when there is. Whether, as in this case, it be the immeasurable loss due to negative publicly or HR and related costs of having to now fire, hire and train new employees. You also have to wonder whether it is only the ability to view our medical records that is based on the honor system, or also the ability to modify them. -Marc Maiffret P.S. The "quick fix" (ha!) of course, add an actually useful requirement to all this regulation garbage that goes beyond "You will use anti-virus" to "Your medical record system should provide mandatory access control to patient records" bla bla bla -----Original Message----- http://www.mtv.com/news/articles/1583480/20080314/spears_britney.jhtml By Larry Carroll MTV News March 14, 2008 LOS ANGELES -- In the song "Leave Me Alone," imperiled pop star Britney Spears sang, "Leave me alone/ Let me live my life in peace." Now, she might want to sing those words to the medical workers on duty during her most recent hospital stay. The Los Angeles Times is reporting that the UCLA Medical Center has launched an investigation into some 25 employees who peeked at the singer's confidential medical records during her late January/ early February stay in the psychiatric ward. This week, the hospital began the process of firing 13 employees, has suspended at least six more, and is considering discipline against six other physicians who looked at her computerized records. "It's not only surprising," human resources director Jeri Simpson told the paper, adding that similar firings also followed Spears' 2005 stay, when she gave birth to her first child, Sean Preston. "It's very frustrating, and it's very disappointing. "I feel like we do everything that we possibly can to ensure the privacy of our patients, and I know we feel horrible that it happened again," Simpson added, offering an apology to Spears. "I don't know what it is about this particular person." UCLA confirmed that, in an attempt to keep this breach of ethics from occurring, officials had sent out a memo on the morning Spears was hospitalized. The memo reminded employees that they were only allowed to view their own patients' records and that doing otherwise violated a federal patient-privacy law called the Health Insurance Portability and Accountability Act. "Each member of our workforce, which includes our physicians, faculty, employees, volunteers and students, is responsible to ensure that medical information is only accessed as required for treatment, for facilitating payment of a claim, or for supporting our healthcare operations," the memo read. "Please remember that any unauthorized access by a workforce member will be subject to disciplinary action, which could include termination." [...] ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Mar 18 2008 - 00:52:23 PST