250.469.9070

It seems like the news is regularly featuring some kind of breach of medical record security in which thieves walk away with thousands of personally-identifying records and information. Quite often, these are misreported as being data breaches or the theft of electronic records.

In many cases, this reporting may be technically true, but digging deeper finds that it wasn't the work of highly-skilled, nefarious hackers who did the job. No, more often than not it's an errant employee or dumb mistake on the part of the hospital, doctor or health insurer's IT department that created the breach.

Consultancy firm Software Advice had their analyst Michael Koploy look into the most recently compiled information about medical records breaches as published by the U.S. Department of Health and Human Services. The records are available online at HHS.gov.

=== Surprising Find - Most Records Thefts Are Petty Thievery, Not Hacking

What Koploy found was that most records thefts are petty thieves in action, not skilled computer hacking attempts. For instance, one theft of 6,800 paper records was through simply stealing them out of the company's outbox so that they never arrived at their destinations, but instead fell into the hands of the thieves. Another involved a person impersonating a recycling service employee and taking 1,300 individual's records (mostly paper and micro-film).

These aren't exactly breaches due to the cloud. One of the larger thefts did involve electronic records, but they were ones wrongfully stored on an employee's laptop which was subsequently stolen. Any IT department worth its salt knows that the security of records requires that they not be able to be stored on individual's equipment like that.

In fact, of all of the HHS data about stolen or compromised patient records, more than half of the 6 million records so compromised were due to non-electronic record theft - which has little or nothing to do with cloud computing or even information technology.

=== Only 7 Events Involved Cloud-Based Computing

In all, only 7 events involved cloud-based computing at all. According to HHS records and Koploy's research, of those seven, none were in cloud-based systems and all were due to on-site physical breaches, not hacking.

The largest of them was a truckload of hard drives bound for destruction (along with their data) that was hijacked and stolen. The rest were breaches of data centers, theft of physical servers, and the like.

Koploy concludes, and rightly so, that paper records and the physical security of them and of closed network services are the primary (and so far only) cause of medical records thefts. He points out that the use of cloud computing virtually eliminates these threats since the records are then stored in multiple locations on multiple servers and may not even be on the same server all of the time.

So when you take a closer look, medical records breaches are thanks to the old way of thinking in regards to records.

** Source:  James Burchill @ itincanada.ca