CSOonline: Well, some folks argue that they're probably more secure there because that's the job of the cloud provider. And a cloud provider may have the resources and expertise to focus on keeping the systems more secure.Burgess: I would say that it is incumbent upon the custodian of the data to understand if the level of protection is equal to or superior to that which you can provide in your own environment.
Burgess: Because the delegation of security doesn't delegate responsibility, right?Burgess: I absolutely agreed with what you just said. And does the service provider have access to your data? Can they read your data in clear text? If they can, are they in a position where they may be able to access your data and thus violate the integrity of the information without your knowledge? So what's my solution? Encrypt, encrypt, encrypt. If you're going to store data outside, make sure it's stored encrypted. That way you don't have to worry about whether or not your service provider can access your data. And that if they lose patient data, by extension they will probably lose patients. And if you lose your patient base, then you are soon out of business. Thus I believe there is a very clear connection between the continuity of business and the necessity of protecting patient data from inadvertent disclosure or disclosure when assets are stolen.
There were some examples that were laptops stolen out of trunks, laptops lost, or thumb drives that contain data misplaced. Again, why isn't the data encrypted then? If the thumb drive is encrypted and lost, it's a nonevent. It's when the laptop is lost and it's not encrypted and the data is known to be there in clear text, the entities or the individuals are crossing their fingers that this was just a theft and somebody's going to reimage it and not use the patient data.
CSOonline: There are plenty of cases of theft of notebooks, drives, even servers out of data centers. But do we have evidence that criminals are targeting medical information specifically?
Burgess: There is an instance of hard copy records being stolen from a doctor's residence. He took the records home to destroy from his private practice, and the thief was caught trying to sell the information. So it's not hypothetical anymore. People are stealing medical information to sell. Remember a criminal engages in theft for two reasons -- monetization or increased capability to engender more monetization. That's it. It's about power, access, and capability and making money. So when somebody steals something, you have to think through why did they steal it? And that's why I wrote it in this fashion for Mayo. In this aspect, about breaking trust, the way to keep your pulse on it is actually communicate with your employees. Let them know that you absolutely care about them, that they are the most important assets to all concerns. They are the avenue by which the corporation, the individual doctor, etc. engages with their patients and provides support to their patients. But what about the bad employee that was bad before you hired them? There were instances where individuals were hired that had criminal records that were germane to the duties in which they were given. For example, one lady was hired and they had a prior record on absconding with information and using it for identity theft. But she was hired to handle patient information.
CSOonline: Yes, that's just crazy. I think society wants to give people second opportunities, but to put someone in that position just seems ill-advised.
Burgess: In the United States, it is so easy to get an in-depth background check on any individual who gives consent, and it is inexpensive. There is no reason that a background check shouldn't be done on every individual who is touching patient health care records.