Protecting Patient Privacy - Points for Effort

It's a difficult time for health care providers to practice, given the constant changes in computer technology, patient requests, and government regulations.

One particular difficulty relates to how sometimes it's easy to miss the forest for the trees when it comes to IT security, as in this DVD that we recently received from a third-party wherein the password for decrypting the files stored on the DVD was simply written on the DVD itself.

For context, Magenta Health physicians commonly request the medical records of patients from former physicians and health care facilities.  Once we send this request off, the requested documents are sent to us via various means such as fax, mail, flash drives, or DVD.

Particularly when physically mailing information, there is a risk of the package being misdirected, and accordingly, if the information is being mailed on physical media such as a DVD or flash drive, it will sometimes be encrypted.  In theory, this is a great idea, although it raises the issue of how to convey to us the password to decrypt the information.  There's no perfect answer, but what is commonly done is that the password and the information will be sent separately. This is similar to how, for example, banks send credit card PINs separate from the credit card itself.

Where this breaks down is if the password is sent together with the information, as in the image above.  In these circumstances, the entire purpose of encrypting the information on the DVD (to protect it from inadvertent disclosure) is defeated since anyone who happens across the DVD would be able to readily access the information.

Suffice it to say, this is an example of why we think it's always important to take a step back and think about, in practical terms, why a particular measure or precaution is being taken, and to evaluate whether it's being deployed and utilized correctly.