Recently I was asked to pull together a HIPAA article for some medical folks. HIPAA is the Health Insurance Portability and Accounting Act. Sounds Washington D.C. kind of important, eh? Well it is since, among other sundry red tape things, it is all about keeping your personal medical information secure while being stored in your doc's office or in transit between people and/or computers. You can only imagine how deep and wide this rabbit hole goes. Being that it involves technology, our IT practice is heavily involved in helping customers reach an acceptable level of compliance. This is true of HIPAA as well as SOX (Sarbanes Oxley) and PCI-DSS ( Payment Card Industry Data Security Standards). I see you yawning. Resist the urge and keep reading. Believe me when I say this is not a blog about compliance. Ok, so, these compliance standards are rooted in basic common sense, with a heavy dose of responsibility and a super-sized portion of technology control. For a while now, many have argued that these so-called standards were toothless tigers. And they were right. That is until we really started to become a mobile society.
Anyway, I agreed to write this article so long as I could take a different approach. People (especially doctors) don't need me to parrot volumes of regulations to them. They get this every day from everyone else in their lives. I will go out on a limb here and say it is the least favorite part of their day. So I chose to do what I do best: use examples and analogies in order to get my point across. Upon completing it, I realized that while this article was primarily intended for medical folks, it would surely resonate with most of you. No, the idea is not to paint doctors in a negative light. Much the contrary. I have a profound respect for the fine folks in the medical community. The idea is to show how easy these kind of things happen to all of us every single day.
I should point out that the article slants towards the Mac side but absolutely applies to Windows and Android as well. I chose this path since most of us now live in mixed worlds of Microsoft, Apple, and Google machines. Quite frankly, I believe most everyone is at least moderately aware of the inherent risks involving Windows use. The same is not true on the Mac side. All the more reason to make noise on this front given the growing number of Apple devices finding their way into the corporate world. Continue reading and you will see what I mean.
You're a doctor. You’re entering a special place in our society. People will be awed by your expertise. You’ll be placed in a position of privilege. You’ll live well, people will defer to you. call you by your title – and it may be hard to remember that the word “doctor” is not actually your first name - Alan Alda
Boy that sounded good some years ago when you went to medical school didn't it? Now comes the reality. And it goes something like this.
A Day In The Life
It's 11:00am and you have a cancellation. Just enough time to grab a quick bite and get caught up on some work. You steal away to the café downstairs to have a cup of coffee, late breakfast, and extinguish your hair. Out the door.
Let me grab my smart phone. Those test results should be here by now. My PA better not forget to forward the email to me. She is the only one that knows where I am "hiding" right now. Nothing yet. Ok, let me whip out the laptop. Ah, forgot the café has free WiFi. Great! So nice that everything is web and remote desktop now. No more slow programs on my laptop. A few emails, updating our patient information system. Ugh. That damn password. So hard to remember and I am not at my desk to look at that sticky note. Ah, right, I put it in my phone. Here it is. Open sesame! Jeez, my laptop is running a bit slow. Making all sorts of noise. Seems like every time I open this thing there are a hundred updates. It will need to wait until the next time. Where is the "Not Now" button (Click Here) ? Here it is. I will do it later. Emails, emails. Let's see; delete, delete, delete, read later. Hmmm. Ok, need to answer this other doc and his questions about our mutual patient. Here is the info he needs. Convert to pdf and off it goes with a cc to myself. What on earth did we do before email. Hey, looks like one of my med school colleagues is going to be in town (at least according to Facebook). Let me click this link and tell him I am here tomorrow. Jeez, now my laptop is really grinding away. I am so "over" this technology. It is supposed to make my life easier. Need to bring this steaming turd back upstairs to our IT guy. So much for getting work done.
"Hey, you're infected and I need to reload your laptop" he says. Great. No laptop for the rest of the day. Unreal. I bought this really expensive Mac because they said it never gets infected. Explain that to me! Never mind. Guess I need to rely on my...oh god...where is my phone? Must have left it in the café. I hope no one grabbed it. Everything is in there! My pictures, my passwords, my emails, account numbers, directions to my home...my entire life. And what about the patient info? "Haven't seen it down here, doc" says the waitress. Holy cow this can't be happening. Not to me. Not today. Not right now. It has to be here. If not, I am totally screwed to the wall. How could I be so stupid to have all that stuff in my phone let alone lose it. Oh god what have I done.
Ticket To Ride
Ok, so what just really happened here? Quite a few things, some of which are not so obvious. Let's start with the easy stuff. You have a Mac. So one of those Apple Store baristas told you that you are impervious to any type of infection, right? If that is true, why do companies make antivirus software for Macs? Hmmm. The reason is because they CAN get infected. In fact, 20% of Macs carry malware (Mac Malware). And the number is growing . Folks, if I told you that it was perfectly safe to leave all of your holiday gifts in an unlocked car while you walked into the mall, you would give me a free ticket to the funny farm. Or you would have me arrested for preemptive theft (if there is such a thing). Those days are gone. So are bullet-proof Macs, or any other device for that matter. Anyone telling you otherwise simply doesn't know.
So where were we? Oh right, you are using your laptop on a public WiFi system with no firewall between it and the Internet. You thought you were immune, you never installed antivirus software nor any of those updates - remember the "Not Now" button. This is how you get infected...the easy way. And now for what you don't see. Since the hard drive wasn't encrypted, all that data is leaping off your device like a hot chili pepper, for all the world to see. You might as well go on vacation with $100,000 on the dining room table, leaving all the windows and doors wide open and announcing your departure as you drive down the street. Yea, it is that quick and that easy. That "griding noise" you are hearing is not an update or a virus scanner; it is the trojan yanking all the data from your hard drive and sending it to the Internet. Sure a hacker doesn't really cares about those pictures from Cabo or the pirated copy of The Matrix. But they do care about those patient social security numbers and that QuickBooks file you run around with. Congratulations! Your data just arrived in the Cloud, without your permission.
And what could be easier than getting infected? Why giving away your phone of course. No physical harm. No guns. No holdup. Just left it there for someone to grab. Yes, you should be mortified, but not because you lost your phone; its because of what was inside of it. And you knew better. But it was so convenient. And you never thought you would lose it. That is why they are called "accidents" and not "on purposes." Credit card numbers, SkyMiles account, patient system passwords, combination to your rental house lock box, and your kid's socials. Your IT guy told you to turn on the swipe lock. You didn't. He also told you to install that remote nuke program. You know the one that would locate and wipe your phone in case it got lost. Yea, on your todo list which happens to be on your phone.
Fixing A Hole
With your head buried in your hands, you didn't really see this coming. This is as serious as it gets. Wasn't exactly what you had in mind when someone long ago said your life could change in a moment. And why? Because over the years you been conditioned to watch out for medical meteors and not data ones. I'm talking about marginal insurance reimbursement, unrealistic cash flow, malpractice and lawsuits...those kind of things. Getting infected? Losing your phone? They sound so innocuous compared to the others. But they can be far more dangerous with ripple affects felt for years to come. Different kind of meteor. Just goes to show that taking a few of life's little conveniences and adding a pinch of distraction can produce catastrophic results.
You experience a sense of being completely naked yet you are fully dressed, followed by a feeling of emptiness and anger. It is at that moment that you "get" what HIPAA is all about. While it seems like it exists solely to make your medical life a living hell, miring you in procedures and expense, it is really about protection. Protecting patients. Protecting yourself. And protecting yourself from yourself. I submit to you that it should be changed to stand for Helping Important Professionals Acknowledge Awareness. Ah, the difference a moment of pause can truly make.
Copyright © Richard Harber, Decision Digital Inc. All Rights Reserved