Tuesday, March 22, 2011

PHI, HIPAA and Why Patients Should Worry

Sometimes, I despair.

People are worried that when we put their health information into EHR systems, it will be vulnerable to hackers. They worry that anybody will be able to see their medical records. The large hospital systems that I work with are fairly well protected. Their security personnel are well trained professionals who take their jobs seriously. They ensure that technical controls and process controls are in place to secure their systems and the data that is contained in them.

But a system is only as secure as its weakest link.

Today, I got an email asking me to set up an interface with an external trading partner. It's a simple, file based interface. I just need to go out to an external ftp site, pick up a file and deliver a copy to an internal system for them to process.

I told the Project Manager that if the file contained Protected Health Information (PHI) we would need to use sftp instead of ftp for the transfer to protect the information.

He asked me what data elements would be considered PHI.

This is a project manager at a medical school. We learn what PHI is and why it needs to be protected whenever we take HIPAA refresher training.

I gave him a short list and sent him a link to a faq.


The file that they are proposing to send contains names, addresses and phone numbers of patients. It is most definitely PHI, and I will not build an interface that does not protect it adequately when it is flowing over the wire.

If I had not asked, this data would have been transmitted in the clear, over the wire and been vulnerable to interception.

The level of competence found in IT staff at smaller provider organizations concerns me. That's where we are vulnerable. Hackers will not waste their time attacking the well defended, hard targets. They will steal your data from the poorly defended, soft targets. I fear that there are too many easy targets out there.

No comments:

Post a Comment