“In May 2013, an Oregon Health & Science University School of Medicine faculty member discovered residents [were] using Internet-based services to maintain a spreadsheet of patients. Their intent was to provide each other up-to-date information about who was admitted to the hospital under the care of their division.” – OHSU News
Although this sounds like an isolated incident, many physicians are shocked to learn that Google and other cloud-based solutions are not secure and cannot be used for patient care. Cloud-based storage refers to saving data to an off-site storage system maintained by a third party. Instead of storing information on your computer’s hard drive or other local storage device, you save it to a remote database. Many of us have been using cloud-based storage for years— Gmail and Yahoo! are two examples of web-based email where our data “lives” on a server and can be accessed remotely
Cloud-based storage solutions go much deeper than just email or Google spreadsheet solutions. For example, according to HIPPA Compliance documents, “[text] messages may reside on a mobile device indefinitely… messages often can be accessed without any level of authentication, meaning that anyone who has access to the mobile phone may have access to all text messages on the device without the need to enter a password.”
While many of us are careful to keep our cellphones password protected and delete patient-specific messages after reading them, you would not believe how many clinicians are shocked (and appalled) to learn that texting patient information can also be viewed as storing information on an insecure cloud.
Since most mobile phones automatically back-up to a cloud to help the users in the event of theft or damage, during that back-up, data may be “pushed” to a variety of cloud solutions and may be stored in an insecure manner. So as a doctor, if you are going to use your phone to text information, make sure that it is not going through a cloud-based server (for example, on an iPhone, the iChat feature), and turn-off the back-up feature.
The root of the problem is described in the OHSU press-release: “Although the Internet-based service provider (Google Drive, Google Mail) is password-protected and has security measures and policies in place to protect information, it is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information.”
According to the Department of Health and Human Services, it is okay to store your protected health information/data on a third party cloud-based solution as long as the company has signed a Business Associates Agreement (BAA) with HHS, thereby accepting responsibility for not only the protection of that information, but also for maintenance of that information. Well, as you can imagine, the “free” web-based cloud services that we all use and love have not signed BAAs, and as such, they are not responsible for maintaining your information and have no liability if your information is breeched. What this means, is that if you use one of these services, ultimately you are the one that will be held responsible.
So, how do you avoid problems? First and foremost, make sure that you and your fellow medical students / residents are aware of your institution’s policies about patient information. For example, you may not even realize that texting, G-chatting, or e-mailing a schedule with names of the surgeon and initials of the patient, would be a breach of patient health information; but, by the strictest definitions, it is. When in doubt, pick up the phone, or use secure messaging services.
Second, be aware that personal devices are subject to the rules and regulations of the institution. Just because you own your device doesn’t mean that you have to keep it secure- especially if you receive work-related email and/or text messages.
Third, and most importantly, become a peer-educator. A breach in patient health information can be likened to pornography- it is hard to describe but you know it when you see it. If you see a colleague of yours doing something that may remotely lead to a breech, educate them about the potential ramifications (financial penalties, legal penalties, dismissal from school/residency/fellowship).
Send this to a friend