Audit cites UIHC for lacking encryption
Tara Bannow reports:
About half of the more than 500 laptops issued to University of Iowa Hospitals and Clinics employees last summer did not have encryption software to protect sensitive information, a deputy state auditor said Monday.
A state of Iowa auditor’s office report released Monday described how the lack of encryption software on some of UIHC’s computers could compromise data such as patient registrations, scheduling and billing information. The audit took place between May 28, 2012, and July 30, 2012.
Read more on Iowa City Press-Citizen.
I don’t see the audit report up on Iowa’s web site at this time, but if as late as the summer of 2012, UIHC was still not routinely deploying encryption on mobile devices, then I wonder how many other large hospital systems were – and are – also not deploying it.
Ironically, just before reading the news report, I had just been reading a commentary by Danny Lieberman of Pathcare, who takes privacy crusaders like Patient Privacy Rights to task, in part, for fighting a national ID for patients. Having a single national identifier for patients when there are so many hacks, lost devices, and patient data being stolen for tax refund fraud schemes strikes me as medical ID theft waiting to happen. Rather than taking PPR to task for fighting a single identifier, the healthcare sector and its tech vendors would do better to first show us that they have deployed encryption and other security measures and are ready – or as ready as they really can be – to protect our information. And as long as I continue to see laptops and tapes with unencrypted patient info stolen from cars, I don’t think that patients can truly trust entities or risk a national identifier.