RE: Britney Spears: Hospital Workers Fired For Looking At Singer's Medical Records

[InfoSec News <alerts () infosecnews org>]

Forwarded from: Marc Maiffret <marc (at) marcmaiffret.com>

It is always funny when you hear about organizations, as critical as 
medical or finance, still depending on the honor system for security. 
Those lovely employee security handbooks that are to put to paper what 
you could enforce through technology. But of course there is the old 
tired excuse that it costs too much and is too complex to do proactive 
enforcement rather than reactive policing. It is in fact true that 
reactive policing is cheaper when there is no incident, but much more 
costly when there is. Whether, as in this case, it be the immeasurable 
loss due to negative publicly or HR and related costs of having to now 
fire, hire and train new employees.

You also have to wonder whether it is only the ability to view our 
medical records that is based on the honor system, or also the ability 
to modify them.

-Marc Maiffret


P.S. The "quick fix" (ha!) of course, add an actually useful requirement 
     to all this regulation garbage that goes beyond "You will use 
     anti-virus" to "Your medical record system should provide mandatory 
     access control to patient records" bla bla bla


-----Original Message-----

http://www.mtv.com/news/articles/1583480/20080314/spears_britney.jhtml

By Larry Carroll
MTV News
March 14, 2008

LOS ANGELES -- In the song "Leave Me Alone," imperiled pop star Britney 
Spears sang, "Leave me alone/ Let me live my life in peace." Now, she 
might want to sing those words to the medical workers on duty during her 
most recent hospital stay.

The Los Angeles Times is reporting that the UCLA Medical Center has 
launched an investigation into some 25 employees who peeked at the 
singer's confidential medical records during her late January/ early 
February stay in the psychiatric ward. This week, the hospital began the 
process of firing 13 employees, has suspended at least six more, and is 
considering discipline against six other physicians who looked at her 
computerized records.

"It's not only surprising," human resources director Jeri Simpson told 
the paper, adding that similar firings also followed Spears' 2005 stay, 
when she gave birth to her first child, Sean Preston. "It's very 
frustrating, and it's very disappointing.

"I feel like we do everything that we possibly can to ensure the privacy 
of our patients, and I know we feel horrible that it happened again," 
Simpson added, offering an apology to Spears. "I don't know what it is 
about this particular person."

UCLA confirmed that, in an attempt to keep this breach of ethics from 
occurring, officials had sent out a memo on the morning Spears was 
hospitalized. The memo reminded employees that they were only allowed to 
view their own patients' records and that doing otherwise violated a 
federal patient-privacy law called the Health Insurance Portability and 
Accountability Act.

"Each member of our workforce, which includes our physicians, faculty, 
employees, volunteers and students, is responsible to ensure that 
medical information is only accessed as required for treatment, for 
facilitating payment of a claim, or for supporting our healthcare 
operations," the memo read. "Please remember that any unauthorized 
access by a workforce member will be subject to disciplinary action, 
which could include termination."

[...]


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn