hippocratic oath

Does data security fall under your Hippocratic Oath responsibility? 

Brand Barney, CISSP, HCISPP
By: Brand Barney
The Hippocratic Oath is one of the oldest professional codes in history. Today, 2,400 years after its creation, nearly 100% of doctors swear to this moral guide. In the medical field, most take the Hippocratic Oath very seriously.

Some key principles of the modern Hippocratic Oath include:
  • Prevent and treat
  • Share medical knowledge
  • Ask questions
  • Remember patients are also people
  • Preserve patient privacy
hippocratic oathWhile some feel the Hippocratic Oath has reached relic status, especially since many of the original principles have been done away with, there are two key parts that should NEVER be abandoned. 1) Patients are people and 2) patient privacy.

I wonder how many of us stop to ponder the power of this oath.

In the wake of the Anthem breach, the impermissible disclosure regarding Jason Pierre-Paul, and the countless smaller incidents not making headlines, are healthcare providers truly taking their oath seriously?

If you said yes, then why are you not doing more to comply with HIPAA? After all, the biggest part of securing and preserving patient privacy is by complying with HIPAA.

SEE ALSO: How Healthcare Security Complacency is Killing Your Organization

HIPAA: It’s not just another government mandate

Unfortunately, from my experience, HIPAA isn’t a major concern to many healthcare organizations. It’s important to remember HIPAA does apply to your organization. The HIPAA Security Rule in particular contains some of the most important considerations for data security that can help you ensure your patient healthcare data stays private.

What does this have to do with patient protection?

As patient records go digital, hacking health records for profit is becoming more prevalent. If patients have their medical records stolen due to your noncompliance with HIPAA, negligence with data security, or pure laziness, you will drastically and negatively affect their lives…not to mention your organization’s brand.

What happens when someone’s health information is illegally sold or fraudulently used?

Bad credit: Say an attacker sells your patient’s information to someone who racks up a bunch of unpaid medical bills, and opens up credit cards or other credit purchases under your patient’s name and social security number. This can seriously ruin the real patient’s credit. Bill collectors could come knocking. The victim could be denied a job due to bad credit.

Did you hear about the man who found out he owed $20,000 in medical charges after he ran a credit report? Apparently an identify thief used his stolen military ID to get kidney stones treated.

hippocratic oath do no harmMisdiagnosis: If a thief gets a treatment under a patient’s name, the real patient’s records could be updated with the thief’s medical data. Not only could this cause misdiagnosis when the real patient goes in for treatment, it might even cause death (in the case of misreported blood type or allergy information).

Check this true story out: A 90-year-old woman from Florida received a Medicare statement for a vasectomy in California. Now, imagine if that woman was a 90-year-old man, and he wanted a vasectomy. His insurance probably would have refused to cover it because “you just had one last year.” What if it wasn’t a vasectomy, but a heart transplant? See how the situation could quickly escalate to life threatening?

Loss of health coverage: Say a patient has a medical emergency, and goes to the emergency room…but their health insurance says they’ve already maxed out their health policy for that year. What is the patient supposed to do?

It sounds ridiculous, but medical identity theft situations like this one happen all the time. If a thief racks up enough doctor appointments, pharmacy refills, and emergency room visits, the real patient might not have any coverage left.

Greater health premiums: False claims against a health insurance policy will raise a patient’s health premiums. After all, if your information has been proved to be stolen in the past, doesn’t that also mean it could be illegally used again? It’s not like a Social Security Number can be changed to prevent future fraudulent use.

That poor patient/victim, and their data, is considered higher risk to an insurance provider. According to Ann Patterson of the Medical Identify Fraud Alliance, insurance premiums increase 7% as a consequence of medical identity theft.

Legal problems: Not only could medical identity theft result in serious financial problems, it could also seriously affect a patient’s personal life.

A woman in Salt Lake City was almost forced to give up her children after a pregnant thief stole her driver’s license and gave birth to a drug-addicted baby. To clear herself of being a drug addict, the victim had to take a DNA test and fork out a $10,000 lawyer bill. She lived in fear about losing her kids for months.

subscribe to blog.securitymetrics.org for more healthcare security articles

Medical identify theft will ruin your patients’ lives

Sheesh. Talk about doing some serious harm to patients.

Did you know that 2.3 million Americans suffer from medical identify theft? Just discovering that the theft even happened takes three months, and fixing the problems that stem from medical identify theft can take months, if not years.

Needless to say, if the patient data you promised to protect is stolen and gets into the wrong hands, it will do longstanding damage to both your organization and your patients.

As you can see, losing Protected Health Information (PHI) is so much different than, say, losing a credit card. Yes, it is a financial burden to lose a credit card, but it really isn’t a unique identifier to a person. PHI, however, does have unique and very sensitive identifiers, and once that data is lost it is insurmountable to think of getting it back. To put this into perspective, when was the last time you had your Social Security Number replaced?

Remember that patients are human beings. Protecting their privacy is priority number one.

The Hippocratic Oath: we can do better

The examples I listed above are exactly why it’s imperative that doctors, nurses, hospital administrators, IT directors…EVERYONE in healthcare should take HIPAA seriously.
Each healthcare professional has a responsibility and stewardship over the patients’ PHI they handle.
The security of our patients’ information is as critical to their health and well-being as their annual physical.

HIPAA is a great tool to start you on your data security path. Is it perfect? Absolutely not. In my opinion, it’s a little too vague. But, by making it your starting point for patient data security, and maybe after getting some extra help, you can feel confident that your patients’ data is protected through the tools, policies, risk analysis, training processes, and security plan you’ve implemented.

HIPAA isn’t something that you can do in a week or a month. In fact, true patient security is a journey and not a destination. But if you take it a step at a time, you can win your healthcare security marathon.

As an industry and as individuals, we can and must do better at protecting our patients’ data! Remember you are not alone in this effort. There are many healthcare organizations that realize the giant security gap and get help to protect the sensitive data they have been charged to protect. Your security matters!

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA Learning center