Oracle IRM, the official blog

Once again the health care industry is struggling to maintain control over sensitive information. The Boston Globe reported this week that the largest health insurer in Massachusetts, the Blue Cross and Blue Shield association, had to warn 39,000 of it's physicians about the loss of a laptop which contained confidential health information.

Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant - roughly 90 percent of physicians nationwide are in its network - encrypts all of its information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The laptop was stolen after the employee left headquarters with it.

This is a perfect example of how Oracle IRM can help create a complete security solution from the database through to documents on the desktop. Using encryption in the database, on the network communication and even on computers part of your organization still leaves you exposed when content is downloaded into documents that can ultimately reside beyond your control. After incidents like the above, many people start implementing hard disk and operating system encryption which only protect the the document at rest. For a complete document and email solution you want to place the encryption at the document level so that no matter where it travels, it is always secure. Oracle IRM uses a combination of industry standard encryption with powerful persistent rights control to ensure that confidential information, such as patient and physician data, can only be accessed by authorized users.

Even when the information is on a stolen laptop, nobody can access data in documents and emails unless they have been given rights on the Oracle IRM server. In this case an employee violated the rules and copied data to a personal laptop, there may well have been legitimate reasons for doing so. Users want to be able to access information in a variety of ways, people these days are used to very collaborative online environments where it doesn't matter what computer you use, you should have access to your information. Oracle IRM allows your users to copy confidential content to even personal machines and you still retain control over not only their ability to open the document, but also if they can print, edit or copy and paste the information.

Another crucial element of a complete security solution would be to ensure that the information downloaded from applications is secured by IRM at source. Oracle IRM has a very extensive, yet simple API which allows companies to encrypt and secure information at the point where a user downloads it by integrating IRM with the application. A good example of this is our integration with the Oracle content management system.

Oracle have also spent just as much time in developing an easy user experience as they have in making the technology secure. This means Oracle IRM can be deployed not only to protect your information at the point it's exported from the database in a document, but also to be relatively transparent to the end user. People often don't realize the document has been secured until they try to print or take a screen shot.

A news report in the San Francisco bay area has brought attention to Kaiser warning nearly 30,000 employees of a data breach

involving their names, addresses and social security numbers. Infact a handful of employees have already reported incidents of identity theft.

The report states, "The theft came to light after the arrest of San Ramon resident Mia Garza, 28, on Dec. 23 on suspicion of possession of stolen property and forgery. In a confiscated computer, San Ramon police later found a file with Kaiser employee data, said San Ramon police Cpl. Rich Persson."

So it seems that a computer was stolen from Kaiser and contained the information about the employees. A classic case of data loss that would've been prevented had the document in question been secured using Oracle IRM. Not only that, but attempts to open the file would've created an audit trail for the police to use as part of the investigation.

Kaiser is helping it's employees by providing "one year of free credit monitoring to help affected employees protect their accounts." This can't be cheap for 30,000 odd employees, I wonder if the cost of an IRM solution would have been cheaper?

It seems that information about your health care activities just isn't safe any more. The news is being inundated with example after example of sensitive patient information being lost and stolen. Just today, in one day, i've been made aware of three incidents.

Patients’ files stolen from car at Royal Hospital

The Liverpool Echo, England, has reported that "personal details of 354 patients [of Royal Liverpool University Hospital] waiting for kidney transplants were stolen from the back of a car... It contained names, addresses, dates of birth and contact details as well as tissue and blood types." Another example of a good reason to employ a technology such as IRM to control the ability to print documents containing sensitive information.

One dialysis patient whose details were lost told the ECHO: “Obviously I was amazed that our details were going around on a paper copy. They should have been on an encrypted laptop." Actually, even storing the document on an encrypted laptop (hard disk, OS, device) wouldn't have prevented them from printing the copy.

Hospital bosses said it was essential transplant team members carried the information, which I agree with. But you should never forfeit this usability with security. Oracle IRM can provide both, ensuring that doctors can travel with the IRM protected content so that they can open the information whilst on the move and without access to the network but still retaining control of the information if the laptop or storage device is lost.

MOST importantly, DON'T let them print this sensitive information in the first place!

Information Commissioner hits another NHS Trust after data breaches

Days after the information commissioner launched an initiative called the Personal Information Promise, they have hit Brent Teaching Primary Care Trust with enforcement action requiring that they will encrypt all data in future and improve security in line with the Data Protection Act.

This is after,"... two laptops were stolen containing the personal information of 389 patients. The laptops were stored in a locked office, but were left out on a desk in breach of the PCT’s own security procedures. What's more, the laptops were not encrypted and contained sensitive information, including health details relating to some patients. "

Mick Gorrill, assistant commissioner at the ICO goes on to say; "I am increasingly concerned about the way some NHS organisations are transferring sensitive records onto laptops and other mobile devices that are not encrypted. Organisations need to ensure they implement appropriate safeguards to ensure personal details about patients are processed securely.”

I bet millions of NHS patients also share your concern Mick :)

Catskill Regional Medical Center says worker peeked at patient files

A Catskill Regional Medical Center employee was fired Thursday for looking at the files of 431 patients without authorization.

recordonline.com reports that, "The 10-year employee was working in medical records at the time of the violations and had ready access to the files, but a routine audit determined she was looking at files she had no reason to be in, including those of acquaintances and neighbors, said hospital CEO Steve Ruwoldt. "I think she was just curious," he said. "She was nosy."

Well good news that the medical center was able to audit and gain evidence of this breach. Not good news for the employee of course! I'm not aware what format the patient data was stored in, but Oracle IRM would have helped both the center in ensuring any documents containing such data could be secured from illegitimate access as well as stopping this particular employee from have a "quick nose" at the information, and it may have well saved her job.

People are curious and if the controls are not there to protect the information, its human nature to take a "sneaky peek". I'm sure she is regretting her actions and this raises an interesting point about using IRM. There is real benefit to the end user. If the organisation can correctly protect the content then they can be safe in the knowledge that they can only open content they should legitimately get access to, even if moments of weakness do occur.

2009 has not been kind to health care organizations. Already in the first month we have seen 2 incidents of lost/stolen laptops which contain patient information.

• 30th Jan: Great Ormond Street Hospital apologize over stolen laptop which contained information on 458 patients.
  
• 24th Jan: Outrage over lost patient records at Welsh NHS Trust
  

And then today in the news a report of the Department of Veterans Affairs announcing they have agreed to pay $20 million to current and former military personnel to settle a class action lawsuit on behalf of the men and women whose personal data was on a laptop computer stolen during a burglary. That is a big price to pay for the loss of one laptop and could have been avoided with the use of a technology such as Information Rights Management at a much smaller cost.

	It seems to be happening every week, sensitive information is being lost from health care organizations. This time email is the culprit.

BlueCross & BlueShield of Louisiana have had to publicly announce details of an incident where a document was accidentally attached to an email sent to a group of about 1,700 brokers. The document contained social security numbers, phone numbers and addresses. Fortunately the information was about the same group of people the email was sent to, no customer information was involved. This demonstrates how easily mistakes like this can happen and how BlueCross & BlueShield are required, by law, to make this information public knowledge. Fines for such incidents can be incurred although no details of a fine have been reported in this case.

Oracle IRM can prevent such incidents in many ways. Firstly, if this document had been classified and protected using IRM and the recipients had not been given rights to the classification, then the document would never have been accessible by this group brokers. This is often the most valuable aspect of using an IRM technology. Having a classification which only allows access to confidential information to those within your organization so that if the document or email is accidentally lost, attached and forwarded via email or stolen, it is unusable for anyone outside your organization.

However what if the document had been protected incorrectly to a classification which the brokers did have access? Unlike many other similar technologies, Oracle IRM separates the rights to content from the documents and stores all this information on the centralized Oracle IRM server. In this case once the mistake has been realized/reported, the BlueCross & BlueShield classification manager could simply deny access to this, or many documents even after they have been distributed. When the brokers then attempt to access the document in the email, they are denied. Even those who were able to access the documents before the organization knew of the error, would be denied access once their rights have been centrally changed. They may however still have access to other content, in the same classification. Such is the flexibility of the Oracle IRM classification model.

A recent article in the Teesdale Mercury reports, unfortunately, another instance of patient data falling into the wrongs hands. The press is constantly reporting issues of confidential patient information being hacked, lost, stolen, misused. This highlights a common problem within the healthcare industry, the requirement to share sensitive information about patients and practices of the organization whilst trying to comply with regulations which require process and technology is in place to secure such information. Unfortunately incidents like this are all too common, the Data Loss DB also makes it very easy to look across the healthcare vertical and see who has been losing information, how much was lost, when and how.

Worse still, the healthcare sector is full of regulation. One of the most important in the U.S.A. is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A major component of HIPAA addresses the privacy of individuals’ health information by establishing a nation-wide federal standard concerning the privacy of health information and how it can be used and disclosed.

Essentially, a HIPAA covered entity cannot use or disclose protected health information for any purpose other than treatment, payment, or health care operations without either the authorization of the individual or under an exception in the HIPAA regulations.

IRM is an excellent technology to solve the problem of securing any content covered by the HIPAA act. Not only does it ensure only the right people have access to the right patient data, but as each and every secure document is accessed an audit record is generated. Allowing the organization the ability to present reports which prove all efforts have been taken to secure confidential patient information.