A trio of ugly situations means painful publicity for lazy or sloppy organizations..
Unsettling article, especially about the former hospital IT manager who created a handful of problems, no doubt he will be punished if you read the article, but should this have happened in the first place? Nobody wants this type of publicity, much less the loss of records, files, etc. Security is something that every health care facility needs to address and take seriously. Sometimes myself I am criticized when pushing network security and measures to take and entertain on a network, but those efforts can certain be rewarded down the road with the lack of incidents like this one. Many times too, though in defense of IT departments the additional costs sometimes falls on dead ears as decision makers may not understand the full implications of what can occur until later when it is too late, and the very funds and perhaps network and software solutions that were turned down, could have been the solution. We all work with budgets these days and IT security should be job number one. BD
September 10, 2007 (Computerworld) -- It's been a week of bad news for lazy or sloppy health care organizations. An employee fired after a security breach of protected health information filed a wrongful termination suit against his former employer, and it may have merit because of poor policies. A community health care provider hacked by a disgruntled employee may be dragged into a compliance quagmire because it's not clear that the organization took basic steps to revoke his access. And to top it off, the U.S. Department of Health and Human Services (HHS) is starting to swing the enforcement rule -- a dowdy part of the Health Insurance Portability and Accountability Act (HIPAA) that few people read -- like a scythe in a field of weedy policies and overgrown practices.
The Council of Community Clinics (CCC) in San Diego ought to ponder that difference as it deals with the aftermath of its recent breach. Jon Paul Oson, a former network administrator with privileged access, quit his job after a disagreeable performance evaluation. He then allegedly gained access to the CCC systems two month later, disabled the backup systems and then systematically destroyed patient data