Saturday, June 10, 2006

As valuable as cash

About two weeks ago all users of the CGH computer system got a “privacy and security” e-mail reminder from Joe Huber (HIPAA[1] Security Officer) of the Information Systems Department. “Is it okay to write down your (computer) password,” he asked, “if you keep it somewhere out of sight, such as under your keyboard?”

The answer is “no,” of course. When you scrolled down to read Joe’s answer, he explained that “your password…must be kept in a secure location such as a wallet or a purse or locked cabinet.”

In his e-mail Joe reminded us that Information Systems had sent the same “privacy and security” message two times before. He said he mailed it a third time because someone found an employee’s username and password posted on a computer monitor last month. In other words, the contents of CGH’s information system that were available to a specific employee were potentially available to anyone who happened to stop by and write down that individual’s username and password. Anyone.

Consider what you would think if an employee of the credit union were as careless with her username and password. Any unauthorized person would be able to look up your financial information simply by copying that employee’s secret access codes.

It’s just as easy to imagine how patients or family members would feel if they knew their information at CGH was potentially available to a snoop – or worse. Actually, we don’t have to imagine. We have only to read the news.

For the past several weeks the nation’s news reporters and editorial writers have been full of outrage and ridicule involving the Veteran’s Administration because a VA employee took home a computer disk that continued identifying information on 26 million military veterans. While in was in the employee’s home, the VA disk was stolen. Where is it now? What could someone do with so much information about individual Americans, including those serving in the active military? “How could such a thing have happened?” complained the news outlets. “What kind of security does the VA have?”

I read those stories – and I read Joe’s e-mail – and I thought, “What if that happened to a hospital instead of the VA?” Is everyone at CGH safety conscious about their computer passwords and about the files they have access to? Obviously not. A username and password were posted in plain sight in violation of CGH policy.

In today’s information age we have to treat computer information as if it were cash. Like cash, if access to computer information is left lying around, someone will steal it. If you saw cash on someone’s desk, you’d understand the risk right away.

It may be harder to recognize the value of computer data or passwords that give access to data, but we should consider computer data access as valuable as cash.

Using computers gives us great power to see and use and move around large amounts of information. This is much more responsibility than we had in past years when we worked only with paper records.

Being careless with a single file is a serious matter. Being careless with computer data can be a thousand – or a hundred thousand or a million – times worse.

[1] The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses national standards for electronic health care transactions involving the security and privacy of health data.

No comments: