Sadly, I'm now back in not-so-sunny England, but one of my colleagues forwarded me an item about security breaches reported by healthcare organizations. On January 1st it became mandatory in California for such organizations to report incidents where non-anonymized patient data may be been intentionally or unintentionally disclosed to someone unauthorized. In the first five months, more than 800 incidents were reported by organizations and patients.

While most of the incidents reported so far seem to have been incidental (such as faxing documents containing personally identifiable patient data to the wrong number), there are one or two reports that have a much higher profile. According to Kim Zetter's article in Wired, 23 hospital workers accessed, without authorization, the records of a single mother on public assistance who gave birth to octuplets, while the actress Farrah Fawcett filed a complaint before her death accusing employees of the UCLA Medical Center of leaking information about her to the National Enquirer.

Zetter also notes that healthcare providers in California have criticized this legislation for being "too rigid". Perhaps that's not surprising, since a breach can cost an organization or individual up to $250,000. However, it seems fairly mild from a European perspective.

There, all personal data (not just medical data) are subject to legislation like the UK's Data Protection Act based on an EC (European Community) directive (95/46/EC), which every EU member state has used as the basis for national legislation. The UK Act, for example, defines eight Principles that data controllers are required to abide by. However, there is also a great deal of healthcare-specific legislation to which both private and public sector organizations are required to conform, some of which also has a direct impact on privacy and data control. (In the UK, most healthcare comes within the domain of the National Health Service, which in turn is controlled by the government's Department of Health.)

The NHS Code of Practice on Confidentiality published by the Department of Health actually defines three main classes of data:

  • Patient Identifiable Information includes information that identies an individual patient directly or indirectly
  • Anonymised Information has had data removed that could be used to identify the individual.
  • Pseudonymised Information includes data keys (unique references such as a patient number or code) that cannot be ascribed directly to an individual in the context of that specific data, but which can be used by authorized persons to access personal information where necessary from other data sources.

The many recorded instances of data breaches within the NHS and other government organizations shows that there's a lot more to data protection than classifying data. However, the implementation of such classifications, in combination with measures for controlling who has access to information once it has been classified, can go a long towards reducing the impact of security breaches.

Strict legislation may be irksome, but sometimes you just have to balance an organization's aversion to the risk of paying large fines against the need to protect the privacy of the individual.

David Harley
Director of Malware Intelligence