OHSU Data Breach: Where Health IT is lacking

Healthcare IT Security

April 19, 2017
ohsu data breach lacking healthcare it|medical data breach and security

In an interesting piece posted over the weekend at The Health Care Blog, Dr. David Do described a recent reported data breach by the Oregon Health & Science University. The event, which was reported to patients at the end of July, was triggered when OHSU administrators discovered that medical residents were storing patient records in Google Drive, a free, cloud-based document storage platform. While the 3,000 or so patient records discovered to be stored in the cloud were not actually “breached,” regulatory requirements under the HIPAA/HITECH Breach Notification Rule required administrators to notify all of the patients affected.

Healthcare Incidents to be Aware of

As Dr. Do notes, the incident underscores one of the greater issues present in the practical application of healthcare IT: despite the impressive mix of EMRs and other health-related IT tools on the market today, the very basic needs of healthcare providers still remain unfulfilled. One such practical need is the ability for healthcare providers to safely collaborate with one another electronically. As EMR systems continue to neglect the need for this collaboration among healthcare provider teams, the very same providers will look to alternative methods to satisfy the needs of their patients. And as a compliance officer or a CIO, by the time you find out that your employees are using unapproved mass market solutions, it’s usually too late.

Current Cloud Storage is not Secure Enough for Healthcare

medical data breach and security

Free cloud-based storage tools such as Google Drive or Dropbox are remarkably usable and convenient. I happen to use both on a regular basis to share documents across devices and with different people. However, despite the practical uses of these products, they were not designed to share highly sensitive data such as PHI. Moreover, when a patient record gets uploaded to the server of a third-party provider, the data has gone off hospital premises and into the custody of a de facto business associate with no BAA in place. Show me someone who has gotten Google to enter into a BAA, and I’ll show you a liar.

Get Secure with your Data Today

Here’s the bottom line: the providers at your facility have a deep thirst to use electronic tools to share patient data in a laudable effort to improve care for their patients. Given the inadequacy of existing EMR systems to provide this ability, your providers are going to find one way or another to assist with this workflow. As someone in charge of your information systems or compliance program, it’s much better to vet out the possible tools for them to use on the front end than deal with the potential data breach on the back end.

The Author
Krishna Kurapati

Krishna Kurapati is the Founder and CEO of QliqSOFT. He has more than two decades of technology entrepreneurship experience. Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges using artificial intelligence (AI)-powered digital technologies across the U.S. healthcare system.

Related Content

Customer Success Story:

No items found.
Related Story:


Want our blogs in your inbox?
Subscribe for more!

Thank you!
Oops! Something went wrong while submitting the form.