Did Auckland District Health Board overreact to privacy breach?

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.phiprivacy.net/?p=12945

In the U.S., we expect entities to take strong and effective action to
address employee snooping or improper sharing of patient confidential
information. But a professional group in New Zealand is not happy with
the Auckland District Health Board’s response to a breach previously
reported on this blog involving a patient who sought emergency
treatment for an eel up his tuchus . His records were shared among
staff and somehow made their way to the media, leading to the ADHB
disciplining over 30 employees at Auckland City Hospital.

Ruth Larsen reports that the ADHB’s circulation of the privacy
agreement has drawn some strong criticism from the executive director
of Association of Salaried Medical Specialists:

Particularly objectionable is a clause stating passwords and logins
must never be shared, and staff are accountable for all transactions
in Auckland DHB information systems under their login/password, he
says.

There are often good reasons for other staff members to share patient
files, Mr Powell says.

Wait, what? There are good reasons to share patient files, but if you
let a colleague access a file under your login and you walk away, do
you know what else they’re accessing? How many times have we seen this
here – where shared logins or failure to log out led to theft of
patient information? The ADHB is correct, in my opinion, to reinforce
the importance of not sharing passwords and login credentials.

Under the agreement, staff are also expected to ensure anti-virus
software is installed and up-to-date on the computer they are using.

Well, okay, there I might agree with any pushback. That shouldn’t be
on employees unless it’s a BYOD, and should rest with the hospital’s
IT department.

Sending out the agreement shows a top-down mentality within the DHB, he says.

However, ADHB chief executive Ailsa Claire says in a media statement
the privacy agreement is one all staff sign when they begin employment
at the DHB.

It is exactly the same document that has been in use since 2008, Ms
Claire says. (emphasis added by me)

“We are reissuing it to raise awareness of privacy and the absolute
commitment ADHB has to ensuring patients’ records are not
inappropriately accessed.”

Ms Claire acknowledges there are “issues” with the form and has given
a commitment to work with staff to remedy them.

ASMS members have been advised not to sign the agreement and the
association has requested the DHB replace it with a reminder to staff
of their obligations regarding privacy.

Note that this was posted on nzDoctor.co.nz. Because they do not
include a copy of the agreement, it’s impossible to know exactly what
the wording is and what changes might be reasonable to make, but no,
it is not enough to just remind staff of their obligations to protect
privacy and confidentiality. Employees need to sign agreements, they
need to know they are being watched and that their access is being
logged and audited, and they need to know that there are consequences
for failure to adhere to the privacy policies. The protections are
their for the patients, and if staff finds them inconvenient or that
they interfere with patient care, start a serious discussion, but it
is not effective to just send a reminder as the association is
requesting. We have too many breach reports proving otherwise.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.