|Mark T. Edmead|
An interesting thing happened to me last week, and it reminded me about the concerns information security professionals have regarding privacy and confidential information. I took my son to the dentist, and because I don't have dental insurance my plan was to pay for the dentist's services with my credit card.
During the new patient enrollment process, the form they gave me had a statement of their policy. In this policy it states that they need to have a credit card on file, just in case the insurance company doesn't pay. Now, I don't have a problem with the dentist wanting to get paid for services.
However, since I was already paying with a credit card, it didn't make sense for me to provide them with my credit card information so they can keep it on file. It's bad enough they already have a lot of information about me. In fact, the patient information form also wants additional information including driver's license (Why do they need to know my license?) and my social security number (Again, why is this information needed by my dentist?).
The medical industry is going through some major changes regarding protection of patient information. The Health Insurance Portability and Accountability Act (HIPAA) is designed to improve efficiency in health care delivery by standardizing electronic data interchange, and it implements the protection of confidentiality and security of health data through setting and enforcing standards.
Compliance with HIPAA requires:
o Developing new policies, processes and procedures o Building "chain of trust" agreements with service organization o Redesigning a compliant technical information infrastructure o Purchasing new, or adapting, information systems o Developing new internal communications o Training and enforcement
If companies want to gather personal information on patients, then they need to assure them that the information will not get into the wrong hands and that they have security controls in place.
By the way, I didn't provide the dentist with my credit card information, social security or driver's license number (after a lengthy discussion with the office manager).
Useful Web sites:
http://www.privacy.org/: A site for news, information and action regarding privacy information.
http://www.hipaadvisory.com/regs/: Great HIPAA resource site.
About the author
Mark Edmead, CISSP, SSCP, TICSA, Security+, is president of MTE Software Inc. and has more than 25 years of experience in software development, product development and network systems security. He is co-author of the book Windows NT: Performance, Monitoring and Tuning published by New Riders and editor of the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.