Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds.
THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
A Start-Up Idea
[By Darrell K. Pruitt DDS]
An early, shoestring proposal for a non-profit dedicated to common sense security solutions.
Why? if patients’ identities are unavailable, they cannot be hacked.
Recently, I’ve considered starting a non-profit dedicated to keeping patients’ identities off of dentists’ computers where they are far too easily fumbled thousands at a time. I think I might call it “Dentists for De-identification.” What do you think?
My son Ryan and I have discussed putting together an educational YouTube cartoon – comparing the cost, convenience and security of encrypted Protected Health Information (PHI), to storing PHI, including medical information, only on paper in bulky metal filing cabinets – leaving only nameless, unencrypted dental records on the computer. De-identification is the “other” HIPAA Safe Harbor, meaning if patients’ de-identified dental information is stolen or hacked, nobody has to be notified. And, since the patients’ nameless dental records remain unencrypted, de-ID should not slow down work flow like encryption does.
***
***
One could call employing in-house reference numbers to re-connect patients’ digital dental information to paper-based PHI a hybrid solution to an otherwise intractable security problem. The solution is nothing new, and has a long history of success. For decades, police departments have been substituting in-house reference numbers for citizens’ names to protect the owners. I see no reason it cannot work for dental radiographs as well.
Depending on staff’s familiarity with the alphabet, pulling a patient’s thin paper record from a loud filing cabinet might even take less time than correctly typing in an encryption key (on the first try). What’s more, since there is a limit to the number of patients even the fastest dentists can treat in one day, 4000 or so active patients per dentist is a reasonable estimate of the number of records in a busy dental practice – which is probably one third of the records in the average physician’s practice. Since the dental information remains digital and only a couple of sheets of paper are needed to reveal the patients’ reference number along with a brief medical history, very little filing space should be needed.
The problems with encryption don’t end with correctly entering the key. Once permitted access to encrypted ePHI, it will take much more time to de-crypt one radiograph than it takes to open a manila folder. Depending on the number of radiographs and other digital images – including complex cone-beam radiographs – a patients’ encrypted diagnostic history could require several minutes to view.
I would want to witness the De-ID non-profit professionally investigate whether de-identification indeed offers a cheaper and more secure solution to data breaches from dental offices. I think we all know by now that full disk encryption will never be the answer.
***
***
Assessment
Still too soon? Give it time. The FBI assures us that more massive data breaches are just around the corner.
Channel Surfing the ME-P
Have you visited our other topic channels? Established to facilitate idea exchange and link our community together, the value of these topics is dependent upon your input. Please take a minute to visit. And, to prevent that annoying spam, we ask that you register. It is fast, free and secure.
More:
Conclusion
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
- PRACTICES: www.BusinessofMedicalPractice.com
- HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
- CLINICS: http://www.crcpress.com/product/isbn/9781439879900
- ADVISORS: www.CertifiedMedicalPlanner.org
- FINANCE: Financial Planning for Physicians and Advisors
- INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors
- Dictionary of Health Economics and Finance
- Dictionary of Health Information Technology and Security
- Dictionary of Health Insurance and Managed Care
Share this:
Filed under: Information Technology, Practice Management, Pruitt's Platform | Tagged: Darrell Pruitt DDS, de-ID, dental eHRs, Dentists for De-Identification, ePHI, HIPAA, PHI |
The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants 
UPDATE – FTC promotes De-ID
Though it was hardly the intention of the FTC, its recent report titled the “Internet of Things” (IoT) is a damn good argument in favor of de-identification of electronic dental records.
“FTC Issues Report On The ‘Internet of Things’ – Mimicking its guidance to firms in other consumer industries, the FTC encourages data minimization in the quantity and type of information collected to decrease potential harm in the event of a data breach and to avoid using data in a way that is contrary to consumers’ reasonable expectations. When companies collect data for a reasonable business purpose, they should consider whether to collect de-identified data.”
By King & Spalding
JDSupra Business Advisor
[February 7, 2015]
http://www.jdsupra.com/legalnews/ftc-issues-report-on-the-internet-of-th-34913/
Dentists simply do not need social security numbers at chairside to do fillings. De-identification of dentists’ primary records is just common sense. Compared to expensive and cumbersome full disk encryption, it’s brilliant.
D. Kellus Pruitt DDS
LikeLike
Anthem Was Right Not to Encrypt
The Internet is abuzz criticizing Anthem for not encrypting its patient records.
http://thehealthcareblog.com/blog/2015/02/09/anthem-was-right-not-to-encrypt/
Clyde
LikeLike
Ransomware: A new reason for de-identification of electronic dental records. (I was wrong)
Remember when I said ransomware has not yet been linked to data breaches? I was 18 months late.
Here is what I have learned by sticking my neck out: Unbeknownst to many in IT security until today, over a year ago at least one ransomware variant proved capable of stealing patients’ PHI before maliciously encrypting everything. Even worse for HIPAA-covered entities, ransomware is becoming smarter as well as more contagious when combined with Angler and other malware. (See: “New ransomware campaign pilfers passwords before encrypting gigabytes of data – Surreptitious attacks often prey on people visiting legitimate sites.” By Dan Goodin for Ars Technica, December 3, 2015).
http://arstechnica.com/security/2015/12/newest-ransomware-pilfers-passwords-before-encrypting-gigabytes-of-data/
Like about half of the HIT experts I bumped into this week – some harder than others – I was wrong. The low probability of a data breach from ransomware expired in 2014 with the Benjamin F. Edwards Co. data breach.
This morning, Eric Brockman, Founder/CEO at Brockman IT services in Baltimore sent me the following link to a Forbes Tech article from June 28, 2014 titled “Benjamin F. Edwards Co. Discloses Data Breach Affecting Customers.” by Dave Lewis, a contributing author.
http://www.forbes.com/sites/davelewis/2014/06/28/benjamin-f-edwards-co-discloses-data-breach-affecting-customers/
Lewis: “The brokerage house, Benjamin F. Edwards & Co., disclosed yesterday that they had suffered a data breach due to an unknown intruder.” Lewis adds: “On May 24, 2014 Benjamin F. Edwards & Co. had their computer systems compromised by an unauthorized third party.”
In an undated update, Lewis adds:
“It turns out that the issue that lead to the data breach was a CryptoWall malware infection. This additional information was included in the New Hampshire disclosure notice.
‘In more detail, an employee of BFE was the victim of a CryptoWall malware infection (a variant of the more common Cryptolocker malware) that encrypted files on the employee’s computer and files on certain shared drives to which the user had access. As a result of the infection, data was transferred to a suspicious IP address. The investigation of a professional forensic expert has not, however, been able to reveal the content of the data transmitted to the IP address.’”
I was wrong. ransomware is far worse than I thought. Thanks, Eric.
Increasingly smarter ransomware will target doctors’ computers – slow-moving, juicy. I know this information is a little late, but since at least June 2014, ransomware incidents must be considered data breaches unless proven otherwise. The probability of ransomware-compromised PHI is rising fast. Watch for patients’ medical records to appear on the internet if ransom is not paid. Then watch patients seek paper-based providers.
Properly backed up data containing patients’ identities won’t be of much help in mitigating a data breach – other than provide a list of (former) patients who must be notified. On the other hand, if a dentist’s primary EHRs were de-identified – leaving only dental information on computers – that would lower their value as a target. If de-identified dental records are properly backed up, extortionists will soon prefer profitable computers which contain more interesting information.
De-identification, anyone?
D. Kellus Pruitt DDS
LikeLike