Healthcare IT Security

OHSU Data Breach: Where Health IT is lacking

Krishna Kurapati
April 19, 2017

In an interesting piece posted over the weekend at The Health Care Blog, Dr. David Do described a recent reported data breach by the Oregon Health & Science University. The event, which was reported to patients at the end of July, was triggered when OHSU administrators discovered that medical residents were storing patient records in Google Drive, a free, cloud-based document storage platform. While the 3,000 or so patient records discovered to be stored in the cloud were not actually “breached,” regulatory requirements under the HIPAA/HITECH Breach Notification Rule required administrators to notify all of the patients affected.

Healthcare Incidents to be Aware of

As Dr. Do notes, the incident underscores one of the greater issues present in the practical application of healthcare IT: despite the impressive mix of EMRs and other health-related IT tools on the market today, the very basic needs of healthcare providers still remain unfulfilled. One such practical need is the ability for healthcare providers to safely collaborate with one another electronically. As EMR systems continue to neglect the need for this collaboration among healthcare provider teams, the very same providers will look to alternative methods to satisfy the needs of their patients. And as a compliance officer or a CIO, by the time you find out that your employees are using unapproved mass market solutions, it’s usually too late.

Current Cloud Storage is not Secure Enough for Healthcare

medical data breach and security

Free cloud-based storage tools such as Google Drive or Dropbox are remarkably usable and convenient. I happen to use both on a regular basis to share documents across devices and with different people. However, despite the practical uses of these products, they were not designed to share highly sensitive data such as PHI. Moreover, when a patient record gets uploaded to the server of a third-party provider, the data has gone off hospital premises and into the custody of a de facto business associate with no BAA in place. Show me someone who has gotten Google to enter into a BAA, and I’ll show you a liar.

Get Secure with your Data Today

Here’s the bottom line: the providers at your facility have a deep thirst to use electronic tools to share patient data in a laudable effort to improve care for their patients. Given the inadequacy of existing EMR systems to provide this ability, your providers are going to find one way or another to assist with this workflow. As someone in charge of your information systems or compliance program, it’s much better to vet out the possible tools for them to use on the front end than deal with the potential data breach on the back end.

The Author
Krishna Kurapati

With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.

Healthcare's Most Flexible Collaboration Platform

Engaging Patients and Connecting Care Teams Through Interactive Digital Conversations

Learn More