Home Care Law Blog Gilliland & Markette LLP

3905 Vincennes Road
Suite 204
Indianapolis, IN 46268
Phone: (317) 704-2400
Fax: (317) 704-2410

Software security issues and HIPAA

Posted by: Robert Markette
July 28, 2006

I read an interesting story about a security issue in e-prescribing.  It seems that a company that writes medical office suite software that includes an “e-prescribing” component recently discovered a security flaw that allowed a computer consultant to access a file that contained a demographic information on a large number of patients from Georgetown University hospital.

In this case, the individual who discovered the problem was attempting to install the company’s software on a client’s computer.  When he could not get software updates to install, he “poked around” in the software and discovered a web address, log in name, and password, in the software.  The consultant used this information to manually log onto the company’s file server to try to find the updates he needed.  When he could not quickly determine what he needed, he downloaded the entire contents of the directory (about 2 gigabytes of information).  As the consultant reviewed what he had found, he discovered the patient data.  Oops.

The consultant was able to access the server, because the software had security information “hard coded” into the software.  (To allow the program to connect to the server one would suppose.)  The software company’s position is that the consultant should not have been poking around in the software that way, but according to a number writers, this was not an inappropriate practice.  In fact, one security expert offered the opinion that the software company was at fault, because they should never have included that information directly in the software.

The troubling part of the story is that the consultant was concerned about coming forward with what he learned, because the software industry accuse the individual who discover and reports the problem.  According to the article, the consultant was concerned he might be charged with wrongdoing.  For covered entities, who contract with software companies, this is not a good thing to see.  If you are entrusting your PHI to third parties, you should want them to be grateful if somebody comes forward and helps them to keep your data more secure.  This encourages individuals like the consultant in this case to come forward.  This is an attitude that should be encouraged.  I would analogize it this way, if your neighbor or some one else noticed your house was on fire, you would want them to come tell you and you sure wouldn’t turn around and accuse them of setting the fire.

One might also ask why a file full of patient data was placed on a server that any copy of the company’s software could access.  Or at least on a server that apparently was accessed by copies of the software to download software updates.  Shouldn’t your information be stored in a separate location from the software updates?

Another point that came up in the story was another cry for “more HIPAA enforcement.”  However, HIPAA enforcement wouldn’t really matter in this kind of case.  The software company is most likely not a covered entity.  If it is not a covered entity, the Office of Civil Rights (aka the HIPAA Police) has not authority to enforce HIPAA against the company.  The company’s compliance is solely a matter of the terms of its business associate agreement.  As for the covered entity whose information was at risk, they were not even aware of the problem until after the fact.  

Furthermore, the covered entity was under no obligation to police its business associate.  This is a good thing, because there is not practical way for the business associate to police this kind of thing.  As it is, the circumstances that led to the discovery of the potential security problem were, at best, unique.  Placing a heavier burden on providers to police business associates would place the covered entities at risk for enforcement actions for things over which they have little or no control.  How would covered entities police these things?  Hire consultants to review the code of every piece of software?  Review the business associate’s internal security policies and procedures?  As it is , health care providers have enough to do to meet their regulatory burdens, the answer to this problem is not more enforcement.


         

News

Health Care

[08/15] Catalyst Pharmaceutical Partners Reports Second Quarter 2008 Financial Results
[08/15] Salmonella outbreak winds down; questions remain
[08/15] 6 get Legionnaires' disease in upstate NY; 1 dies
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] Former half-ton man endures hard times in Nebraska
[08/15] AP Interview: Doctor behind executions speaks out
[08/14] University Hospitals Receives $22.6 Million Donation from Harrington and McLaughlin Families
[08/14] The National Kidney Foundation's 7th Annual Ronald D. Paul Companies Kidney Walk to be Held on Saturday, September 20
[08/14] Best Practice Database adds Research on New Product Launch
Read More

Web Resources

FindLaw
Thomson West
U.S. Courts
Westlaw
United States Chamber of Commerce
FirstGov
Legislative Branch
Library of Congress
White House
Internal Revenue Service
National Weather Service
Yahoo!Maps
YellowPages.com
New York Times
Newspapers Online
USA Today
Wall Street Journal
AOL
Google
Yahoo!Legal Blog Directory  

The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation.

Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.