Physician Operates On Server, Costs His Hospital $4.8 Million

Hugh Pickens DOT Com (2995471) writes "Jaikumar Vijayan reports at Computerworld that a physician at Columbia University Medical Center (CU) attempted to "deactivate" a personally owned computer from a hospital network segment that contained sensitive patient health information, creating an inadvertent data leak that is going to cost the hospital $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web. The breach was discovered after the hospital received a complaint from an individual who discovered personal health information about his deceased partner on the Web. An investigation by the HHS Office for Civil Rights (OCR) found that neither Columbia University nor New York Presbyterian Hospital, who operated the network jointly, had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network. "For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question," say the hospitals. "We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS." HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations. In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data."

Healthcare IT in the US

[maple_shaft]

Having worked in IT and software development for a number of different health systems some common themes run true.

1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

2) Easy money. Money comes easy to these organizations. This plus...

3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

Re:Healthcare IT in the US

[maple_shaft]

Allow my rebuttal...

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors just basically being delegated to QA on patient care. The point is that all of this will be patient-centric where IT begins to see the patient as the client.

In 80 some years of cardiac medicine, about the single most effective treatment that all doctors agree on is Aspirin. Healthcare breakthroughs move slowly if you haven't noticed. Now with analytics, doctors, researchers and analysts will be able to interpret correlations in a way never allowed before.

Really? Their budgets have been shrinking for well over a decade. With medicare payouts being lowered, unfunded mandates to provide "life saving" care to indigents which includes triaging cold and flu cases in ERs, increasing budget reserves in order to offset the growing malpractice risks (self insured hospitals) or paying higher premiums (non-self insured hospitals), and increase labor costs for staff I'd like to know where this easy money is coming from.

You make it seem as if the non-profit centers see this charity care as a bad thing. To the contrary, they are allowed to write off this "free" care that they are required to give mind you, as charity towards the requirements for them to maintain non-profit tax status. I promise you the cost of free care is a pittance compared to the corporate taxes they otherwise must pay as well as state and local property taxes and the like

Your arguments about malpractice risks and insurance for that are negligible.

In my region the nonprofit medical centers tend to be the regional charity or university based hospitals and they are outnumbered by the growing number of for-profit medical centers that offer specialized care. In plain english this means that the high-markup services are being performed by for-profit outpatient centers leaving the hospitals with convalescence services and indigent care.

This for profit, non-profit line is increasingly blurry though as I see the large non-profit health systems continue to act in ways that are increasingly similar to for profit companies. The chair-persons at such health systems often encourage for-profit ventures to be incubated in the healthsystem and with the support of it so that they have vehicles to move profits into investments towards these for profit institutions. Guess who the board of directors tend to be at these for profit institutions that operate under the non-profit umbrella? Profits find their way into the chair-persons hands in a very indirect way. You may not realize who is really calling the shots and who actually owns these for profit institutions but I do and you would be surprised.

This doesn't sound like any of the hospitals that I know about. I have friends and colleagues that are in the medical software business or an employee of a hospital throughout the southeast. My graduating class of engineers took advantage of the changes that HIPAA brought and a large portion of them work in the industry. We stay in touch and some of them are known to vent their frustration but none of it involved nepotism, mostly it involves hav