Medical records

• medical-record security lapses are newsworthy nowadays
• Boston example (early June): brain cancer test results faxed to store
• Health Insurance Portability and Accountability Act of 1996
• HIPAA -- see erm.aspe.hhs.gov; final rules not yet published
  • must assess potential risks and vulnerabilities
  • develop, implement, and maintain appropriate security measures
  • administrative procedures to guard data integrity, confidentiality
  • internal audit of logins, file accesses, and security incidents
  • functional testing, penetration testing, and verification
  • formal documented instructions for reporting security breaches
  • user education in password management
  • penalties for misuse or misappropriation of health information
  • Computerworld, 24 July: "could face fines and possible jail time"

• MIT server contained a file available via a very simple attack

Copyright 2000, Massachusetts Institute of Technology. All rights reserved.
Quote is from "Maimonides CIO: Health Care Faces Y2k-Scale Challenges", Computerworld, Vol. 34, No. 30, July 24, 2000, page 20.