I found the Nov. 13 InformationWeek commentary by Mathew J. Schwartz, titled “Petraeus Fallout: 5 Gmail Security Facts,” to be both entertaining and instructive.
As Schwartz puts it simply and eloquently, “Want to avoid a fall from grace? Then ensure you’re not the chief of a spy agency who coordinates your extramarital affairs using a free webmail service. That’s one information security takeaway from the ongoing probe into the former director of the CIA, David Petraeus, who resigned after 14 months on the job.”
What’s more, I just can’t help quoting the second paragraph of Schwartz’s commentary, as he writes that “Petraeus’ fall from grace stemmed from an FBI investigation, which began after anonymous, threatening emails were sent to Jill Kelley, a friend of Petraeus. According to The Wall Street Journal, Kelley—who serves as a volunteer with wounded veterans and military families—complained about the emails to an FBI agent who’d pursued a friendship with her… The agent passed case details to the beau’s cyber investigators, who ultimately found that the emails had been sent by someone who also had access to a Gmail account used by Petraeus. The resulting national security investigation ultimately revealed that the emails had been sent by Petraeus’ biographer Paula Broadwell, and that the CIA director was having an affair with Broadwell.”
Alrighty, then. So, upfront, two things: first, it is far, far beyond the scope of Healthcare Informatics to comment on the substance of the Petraeus affair, even as official Washington is abuzz about the astonishing scandal, which continues to unfold like some kind of soap opera in real time, or as one Washington wag put it, “The Real Housewives of CentCom.” And second, obviously, the cyber-shenanigans now being uncovered in this affair, which are encompassing at least one active general and a whole bunch of individuals from the worlds of intelligence and policy-making, are far removed from anything like the day-to-day concerns of healthcare IT leaders.
All that having been said, there is one nugget in all this that seems to be to be eminently worth commenting upon. And that is the blithe assumption that some in healthcare IT might be making that all the key people in their organizations, and most especially, their clinicians, fully understand the supreme importance of the data security policies that must be put into place and continuously supported and maintained, in order to prevent the kinds of data security breaches from taking place that are, unfortunately, actually taking place in patient care organizations nationwide.
As HCI Associate Editor Gabriel Perna noted in his October/November feature on the subject, the number of U.S. patients affected by data breaches this year doubled over last year, from 5.4 million to 10.8 million, according to data compiled by Kaufman, Rossin and Co., a Miami-based accounting firm. That is nearly one out of every 30 people in the United States—an astonishing number.
And it’s frankly disturbing how many data security breaches are erupting out of such mundane situations as home health nurses leaving laptops in cars, with such laptops later being stolen, and from countless variations on such themes. For example, as Gabe noted in his article, the four-hospital University of Utah Health Care system experienced a data breach when a third-party organization sending backup tapes to a storage facility in the mountains saw those tapes stolen, with those tapes, which contained information on over one million patients, ending up in the house of some small-time thieves. Before the breach, CIO Jim Turnbull told Gabe, “there was a belief that the tapes were encrypted, and in fact they were not. So we put encryption practices into effect immediately.”
Exactly. And this is the kind of reality that CIOs and other healthcare IT leaders are facing today. As information becomes progressively more electronic, the possibility for data breaches seems to be growing almost exponentially every year. Perhaps one of the most spectacular security failures occurred in May 2006, when a laptop containing the Social Security numbers of 26.5 million U.S. veterans was stolen from a Veterans Affairs employee’s home. That analyst had violated VA policy by taking home a VA laptop. Since then, the VA has moved forward on implementing strong encryption policies.
What’s more, a vast array of new technologies, some of them coming out of clever start-up firms in IT, are becoming available to help in these efforts, including technologies that can immediately and remotely wipe clean the hard drives of laptops, smart phones, and other devices that go lost or stolen.
But everyone involved in any patient care organization’s data enterprise, whether an employee, affiliated physician or other clinician, contractor, and so on, must be thoroughly educated and trained in the most up-to-date policies and procedures in this area, to (as much as possible) prevent data security breaches. And even though it would be naïve for any CIO to believe that she or he could avert any and all incidents, it is absolutely essential that we as an industry do everything possible to minimize their occurrence, for obvious reasons.
So while it is mind-boggling to think that David Petraeus would share an unsecured Gmail account with someone with whom he was having an affair and who had a level of security clearance, and who was also writing a biography of him (!), is it so mind-boggling to think that an extremely busy and hassled home health nurse might inadvertently leave an unsecured laptop in the trunk of her car while dashing around her community on a super-busy day? No, it is not. And therein continues to lie the immense data-breach rub.