The Berkeley breach: Is SaaS the answer?

By Don Leatham

One recent Friday afternoon I took time off to visit two new health providers:  a new dentist (nearer my home) and an orthopedic (to look at my lateral epicondylitis).  In both cases, as a new patient, I filled in page after page of medical history and personal information, including my Social Security Number.   I did pause, but I have to admit I wrote it down both times (I’ve grown weary of the discussions/arguments that ensue if I don’t – I’ve even been denied service from a healthcare provider who felt my SSN was their only tool, should I decide not to pay).

One recent Friday afternoon I took time off to visit two new health providers:  a new dentist (nearer my home) and an orthopedic (to look at my lateral epicondylitis).  In both cases, as a new patient, I filled in page after page of medical history and personal information, including my Social Security Number.   I did pause, but I have to admit I wrote it down both times (I’ve grown weary of the discussions/arguments that ensue if I don’t – I’ve even been denied service from a healthcare provider who felt my SSN was their only tool, should I decide not to pay).

At roughly the same time I was giving up my personal information to multiple health care providers, the University of California Berkeley was notifying over 160,000 people that  their personal information (health-related) had been given up to hackers somewhere in the Asia-Pacific region.  Berkeley is recommending each take fraud protection measures immediately.

[ SEE: More than 160,000 affected by data breach at UC Berkeley ]

As I read the announcement from Berkeley over the weekend, I had to rethink my SSN-sharing decision.  I have no idea if the small 3-dentist practice has my data on an Internet facing computer.  I know one of the dentists personally and he is only moderately tech savvy.    The orthopedic practice was much larger, but were they large enough to have a decent IT person who knows more than just the basics? I’m sure both could use some help.  Could that help be found in a cloud-based, SaaS practice management system?

I’ve been very skeptical of the whole effort around storing patient healthcare records in the cloud, but now I’m rethinking that position.   Where would I rather have my personal healthcare data?  In an obscure, lightly protected office on Main Street?  Or in a well secured, yet highly targeted cloud-based repository.

[ SEE: Who decides what health data is sensitive? ]

While “security by obscurity” is a common security strategy, I’m wondering if it really applies to the small practice.  Almost all healthcare practices, large and small, are listed on multiple phone/address websites (name, address, phone, website, etc.) as well as provider directories from multiple insurance agencies.   In agregate, a list of individual practices might represent a large enough target to solicit an attack.

So, it is arguable that obscurity does not apply in the case of healthcare practices of any size, and therefore, the cloud is probably the safer option.  Should we require that practices that can’t demonstrate adequate patient data protection use qualified SaaS/cloud-based practice management software?  I believe this is an argument that needs to be discussed right next to the amount of money that will be saved by cloud-based healthcare record management.

Would a cloud-based healthcare management system have helped avoid the Berkeley breach? Possibly.  It will be interesting to watch the debate unfold.

Oh, and my lateral epicondylitis?  Well, the orthopedic doc said that after she administered the cortisone shot in my elbow (done with an excessively long needle) I should lay off the weights for a few weeks and my “tennis elbow” would clear right up!

* Don Leatham is senior director of solutions and strategy at Lumension.

Suggested articles

LifeLock CEO A Frequent Victim of ID Theft

A CEO who publicly posted his Social Security number on billboards and
TV commercials as part of a campaign to promote his company’s credit
monitoring services was the victim of identity theft at least 13 times, a
news report says. Read the full article. [Wired]

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.