DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

How to reconcile Kaiser's statements about who can access patient data

Posted on March 9, 2010 by Dissent

Two reports of how Kaiser Permanente approaches security left this blogger scratching her head last week as the reports might seem to contradict each other. And because the VA Watchdog had the same questions I have, I decided to follow-up.

On February 28, and as reported by Health Data Management, Eric Liederman, M.D, director of medical informatics at Kaiser Permanente’s Northern California division, described the security approach this way during the Physicians Symposium at the HIMSS 2010 Conference & Exhibition in Atlanta:

…. The common approach is to restrict access to patient data by assigning roles to users and allowing role-based access. But this can hamper appropriate exchange of health information and raises the risk of patient harm, particularly in the case of sick patients quickly getting sicker, Liederman said.

Kaiser took another route by making all accountable by giving everyone access to everything. But … record all views, investigate all complaints, use surveillance to find “silent offenders,” sanction the guilty and publicize the sanctions. “You don’t have to publicize the names but put out the word that coworkers–real people–no longer work here because they violated privacy,” Liederman explained.

The accountability approach deters temptation-driven mistakes and keeps good employees on the job, removes barriers to people doing their jobs, and avoids proliferation of security profiles and roles, he added. This reduces confusion while increasing consistency, and protects key privacy targets–physicians, co-workers, neighbors and celebrities/VIPs.

And the way to maintain law and order in an open environment is to police, police, and police with information technology surveillance tools.

Yet as Alice Lipowicz of Federal Computer Weekly reported on March 5, Dr. John Mattison, chief medical information officer for Kaiser Permanente Southern California, told her that Kaiser uses role-based access privileges like most other health systems, and Kaiser has been performing algorithmic surveillance of the systems to detect anomalies that could indicate unauthorized access, he said.

“We do not allow everyone to see everything,” Mattison said today. “We allow access based on roles — which include receptionist, medical assistant, quality assurance officer, coding or billing officers. We have security profiles, and you can only see what is allowed for that role.”

Typically, health systems have about 40 to 2,000 different user profiles and corresponding levels of access in their systems, Mattison said. Kaiser’s number of roles “is in the middle of that range.”

“We are using the same restrictions as the rest of the industry, and we are pretty much in the middle of the industry for integrated organizations,” Mattison said. Also, Kaiser is forging ahead in deploying its surveillance software to better detect anomalies, he added.

As for suggestions that Kaiser’s security is more “daring” than other health plans, Mattison disagreed with that assessment. “There are some false assumptions underlying that premise,” Mattison said.

I asked Kaiser to comment on what seemed to be a contradiction in the way the approach to security was described. John Nelson, spokesperson for Kaiser, responded:

The comments made by Drs. Mattison and Liederman are both accurate, depending on the area of patient health information being accessed. Given the comprehensiveness of our electronic medical record, we employ role-based access controls in all areas where it makes sense to do so. For caregivers involved in direct patient care, we ensure that they have sufficient access to information relevant to their work, enabling them to provide the highest quality of care. For others who are not involved in direct patient care, their access is much more restricted according to what information they need to perform their jobs. This combined approach enables us to protect patient privacy and deliver the best care possible through electronic health records.

According to Nelson, when Dr. Liederman said that Kaiser gave “everyone access to everything,” he was not really talking about everyone — only those involved in direct patient care.

Category: Uncategorized

Post navigation

← LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False
VA investigating security breach of veterans' medical data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.