Since the story first broke yesterday, I’ve been somewhat fascinated by the case of a Colorado Springs nurse who has reportedly been fired for misusing/exceeding her access to Physician Link to access the records of 2,500 patients at Colorado Springs Hospital that she had no legitimate reason to access.
According to an updated version of their original news coverage:
Niell denied that she had accessed “anywhere close to“ 2,500 records but admitted to the Gazette Monday night that she did use the database for personal reasons, such as to look up the phone number of a friend that she had lost. However, she said that using the database that way is common practice for many in the medical community.
“That’s my crime, but as far as this other allegation, absolutely ridiculous. I wouldn’t dream of doing what they’re accusing me of,” she said. “I guarantee that accessing the database for stuff like that is rampant in the medical community. If you talked to other medical people, you’d find out that it’s pretty damn common.
“If they are going to get me for that, they would have to get a tremendous number of people for that.”
She said she is being investigated because her supervisors were uncomfortable with her psychic ability. Niell, who said she has had three near-death experiences, said she was often able to get a psychic reading from people she was around. Once, she said, she was recognized by the city after correctly warning a patient he was close to a heart attack and advised him to seek immediate treatment.
“The city gave me a plaque for life-saving intervention,” she said. “They liked it when it worked for them but didn’t like it when I made them uncomfortable.”
Niell said her supervisor was looking for a way to fire her after Niell told her about a possible life-threatening condition and the supervisor became angry. Niell admitted she later accessed the database to see if the supervisor heeded her advice and sought treatment.
City spokesman John Leavitt said Niell became a target of an investigation after her supervisor noticed unusual activity on the system, including how many times it was being accessed and from where it was being accessed. Memorial was notified on May 20.
I have no doubt that the nurse is right – that the problem of inappropriate access is rampant. Which leads us to the real story here: why was she able to access those records? What kind of authentication system does Physician Link use to ensure that only people who should be able to access a file are able to do so? Logs can point out a problem after it happens, but what about prevention?