An interesting thing happened to me last week, and it reminded me about the concerns information security professionals have regarding privacy and confidential information. I took my son to the dentist, and because I don't have dental insurance my plan was to pay for the dentist's services with my credit card.
During the new patient enrollment process, the form they gave me had a statement of their policy. In this policy it states that they need to have a credit card on file, just in case the insurance company doesn't pay. Now, I don't have a problem with the dentist wanting to get paid for services.
However, since I was already paying with a credit card, it didn't make sense for me to provide them with my credit card information so they can keep it on file. It's bad enough they already have a lot of information about me. In fact, the patient information form also wants additional information including driver's license (Why do they need to know my license?) and my social security number (Again, why is this information needed by my dentist?).
This incident reminded me of how much personal information is sometimes requested by organizations. How much private and confidential information is leaving your company without your knowledge? Does your company have a privacy policy regarding the dissemination of private corporate information? Should you be concerned with the information you provide your doctor or the hospital? Would you want your hospital to release private information without your consent or knowledge?
There are differences between confidentiality and privacy issues. Confidentiality, as it pertains to the triad of information security (confidentiality, integrity and availability), deals with the fact that we need assurances that the information being transmitted can be viewed only by the intended recipients. Encryption is a good enabling technology that makes confidentiality possible. Privacy, on the other hand, is the level of confidentiality provided. Corporate users, for instance, have an expectation of privacy when it comes to e-mail. That is, they believe that their corporate e-mail account is private and no one should view their e-mail. In reality, most companies do have a privacy policy that states effectively that employees' e-mail is NOT private and that the company has the right to view the employees' e-mail at any time.
The medical industry is going through some major changes regarding protection of patient information. The Health Insurance Portability and Accountability Act (HIPAA) is designed to improve efficiency in health care delivery by standardizing electronic data interchange, and it implements the protection of confidentiality and security of health data through setting and enforcing standards.
Compliance with HIPAA requires:
Building initial organizational awareness of HIPAA
Comprehensive assessing of the organization's information security systems, policies and procedures
Developing an action plan with deadlines and timetables
Developing a technical and management infrastructure to implement the plan
Implementing a comprehensive action plan, including:
o Developing new policies, processes and procedures
o Building "chain of trust" agreements with service organization
o Redesigning a compliant technical information infrastructure
o Purchasing new, or adapting, information systems
o Developing new internal communications
o Training and enforcement
Regardless of whether you are in the medical profession or not, the issue regarding privacy is something that needs to be dealt with in any organization. Privacy issues are typically handled in the security policy or a privacy policy.
If companies want to gather personal information on patients, then they need to assure them that the information will not get into the wrong hands and that they have security controls in place.
By the way, I didn't provide the dentist with my credit card information, social security or driver's license number (after a lengthy discussion with the office manager).
Useful Web sites:
http://www.privacy.org/: A site for news, information and action regarding privacy information.
http://www.hipaadvisory.com/regs/: Great HIPAA resource site.
About the author
Mark Edmead, CISSP, SSCP, TICSA, Security+, is president of MTE Software Inc. and has more than 25 years of experience in software development, product development and network systems security. He is co-author of the book Windows NT: Performance, Monitoring and Tuning published by New Riders and editor of the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.
