Americans Trust Docs, But Not Computerized Records 162
Lucas123 writes "A soon-to-be-released survey from CDW shows that Americans trust their physicians to use their health information responsibly, but they're very concerned that once in electronic format, their personal health information may suddenly show up on the Internet. Their fears may not be unfounded. CDW said that survey data showed 30% and 34% of doctors lack basic anti-virus software and network firewalls, respectively. Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."
Re:Not unfounded. (Score:4, Informative)
I have seen medical practices on both ends of the security fence, and it is sad... I've been in practices that I would never, ever, visit as a patient because I have no faith in how things are run there from an IT security view point... At the same time, I have worked with other orginazations that do take security very seriously, and do everything possible to ensure that all data is kept private... The thing that really sucks is that you really have no way of knowing what type of office you are visiting until you see the report that your record has been leaked.
Someone else posted in here that most practices are afraid of HIPAA and will do anything to keep things safe... Unfortionately I have seen alot of practices that couldnt give a crap about HIPAA and won't listen to any reasons as to why they should not run bittorrent on their office computer. The bottom line is that until HIPAA and HITECH start producing more results, busting more practices, and making everyone aware that they do have teeth this is going to continue to be a problem. HIPAA has been around for a long time, but until HITECH came around it has been a joke, and only enforced in the worst of senarios. I still think that both of the policies are too loose, and enforcement on those policies today is still largely reactive, when it's too late.
Re:HIPAA security audits? (Score:4, Informative)
The problem is that HIPAA is severely broken. Most hospitals violate some part of HIPAA countless times per day as it's not even possible to operate within it's guidelines and be able to realistically treat patients. Another issue is the FDA understands how to deal with IT about as much as it knows how to building a Saturn 5 rocket.
Here's an example that I've witnessed many times over the years. A vendor installs an MRI system in a hospital, the control computer the technologist uses to scan patients is Windows based. Obviously the system needs to at least be on the local hospital network so that the patient scans can be sent to a reading station so that a Dr. can look at the images. Neither of these systems can have any software installed on them that is not FDA approved. So by law, unless you have an FDA approved security program you cannot install it on either of these systems, or any system that contains patient data for that matter. If you do have an FDA approved program you need to prove that it will not affect any of the calculations that are made for determining a diagnosis as well. It gets even better though. If you do find a security suite that you can use, the vendor is not responsible for worrying about it in the case of system updates. So when an update comes out the vendor sends in an engineer who generally will simply re-image the drive with the new update, thereby wiping out your security programs.