Dome home blank
Search Dome


Identity Crisis
The push is on to protect sensitive computer data.


Following a recent spate of incidents involving lost and stolen protected health information (PHI), the Johns Hopkins Health System is on a mission to keep patients’ protected data from falling into the wrong hands.

Problems with computer security breaches plague many industries, from banks to retailers to government agencies. The health care industry is no exception.

Ironically, the culprit in Hopkins’ most recent episodes isn’t the savvy hacker cracking computer networks from the outside. In general, the problem tends to be a “lack of focus and carelessness” by employees, says Donald Bradfield, senior counsel for HIPAA (Health Insurance Portability and Accountability Act).

Those employees could be researchers handling subjects’ PHI for their studies, physicians and nurses carrying detailed files off-site, or managers who don’t encrypt computers and flash drives. 

Senior Counsel Meg Garrett recalls seeing a physician walking around with a stack of medical records. “It’s got to stop,” she insists.

When a car is burglarized or a laptop stolen, the thief usually isn’t looking for information, but for something tangible to sell, says Bradfield. But the Health System still has to prepare for the possibility of identity theft—a labor-intensive and costly process. When incidents of lost PHI have occurred, Hopkins has notified the patients who were affected and offered credit monitoring and other counseling services.

In addition to those costs, stolen and lost protected health information invites regulatory intervention and can compromise the hospital’s reputation.

Increasingly, there’s less tolerance for employees who have been trained on HIPAA standards but still lose patients’ health information under careless circumstances. Sometimes offenders are being severely disciplined and even terminated from their jobs, says Bradfield.

“The biggest challenge from day one is to get the policies and training followed in the first instance,” says Bradfield. “It’s getting people to absorb it and put it into practice.” After the initial training, such as at the new-employee orientation, there is very little reinforcement of updated policies and procedures regarding HIPAA. That will change somewhat, Bradfield says, with the Health System’s plans to require employees to get periodic refreshers on HIPAA.

Hopkins’ IT department also has been busy trying to protect patient information. Last August, they launched an aggressive computer security program to encrypt the tens of thousands of backup tapes that are sent off-site to be copied, as well as oversee installation of data protection software in the 11,000 laptops used by faculty and staff. Additionally, efforts are under way to protect Hopkins Medicine’s 20,000 to 25,000 desktop computers.

Other plans, says Bradfield, include developing a way to more quickly identify and investigate potential PHI losses, as well as to audit selected sites to determine their compliance with basic security protocols. Hopkins has also developed a relationship with an outside vendor to respond quickly when PHI has been compromised.

If Bradfield can offer one piece of advice to employees for reducing risk it’s, “Think.” If employees really need to have patient information off-site, they should ask themselves whether they need it for all 50 patients or just the 10 people they’re visiting on a particular day. Do those records need to have Social Security numbers with them? Should the employee bring the paperwork in his or her house, or leave it in the back seat of the car?

For Garrett, the message is more direct: Don’t take any sensitive paperwork out. “We don’t need the paper. If it is necessary to have the information, it should be on an encrypted laptop.”

That’s exactly what the Johns Hopkins Home Care Group has done to protect the information that its health care workers take with them into the community.

“In the old days, nurses would literally have a traveling file cabinet in the car,” says Mary Myers, Home Care Group’s chief operating officer.

Now, Home Care clinicians carry encrypted laptops that they’re required to keep with them at all times; they download only the information on the patients they are visiting on a given day; and there are three levels of security to get into the patient database. In addition, each year employees take mandatory refresher training on HIPAA.

Even if people breach policy, Myers says, “We have hard stops so patients are still protected if their information is lost or stolen. Patients trust us with their information.”

— Janet Anderson



Johns Hopkins Medicine

About Dome | Archive
© 2007 The Johns Hopkins University
and Johns Hopkins Health System