CBC News reports:
Medical records for thousands of patients at Etobicoke General Hospital could be in the wrong hands following the theft of a laptop.
CBC News has learned the personal details of 5,500 patients — including names, dates of birth and diagnostic reports — were on a laptop that was stolen in mid-January from a lab used to test brain activity.
The lab was locked but the laptop was not password-protected — contrary to hospital policy according to Ann Ford, chief privacy officer for William Osler Health System.
Read more on CBC.
Wait. The hospital’s policy is to (only?) password-protect laptops containing ePHI? Seriously? And now they’ve boosted their security by tethering laptops with cables but still haven’t deployed encryption? Do they understand how easy it is to bypass a password on a laptop?
This does not sound like adequate data security. I hope Ms. Ford misspoke about the hospital’s policies and that they actually require stronger protection.
Actually, I know the privacy and security policies of this hospital quite well (I used to work there) and they do require encryption on any device that stores PHI. The problem is that clinicians will work directly with vendors, without the involvement of IT, and acquire systems that do not conform to policy. It used to happen very often, and this is likely one of those cases. Chances are management will take this problem by the horns now and deal with it seriously.
Thanks for sharing your experiences with them. I hope their CPO sees my comment – and yours.
Not a problem. I’m sure many people will feel the same as you (the CBC report seemed a little skewed to me – maybe for ratings???).