Eye on ethics: Guarding the data mine

June 19, 2006

Large thefts of electronic patient records have occurred recently in several health systems. How secure are pharmacy patient data and does the responsibility for guarding those data extend beyond the IT department?

Despite repeated staff training, a surprising number of losses occur "through employees making mistakes or inadvertently revealing information. It is ironic that so many organizations do not have a comprehensive awareness program in place, perhaps missing the obvious and focusing upon the more stimulating high-tech threat instead," states a recent edition of the ISO17799 newsletter (go to http://www.17799central.com/news.htm). The International Organization for Standardization, originator of the international ISO9000 system of quality standards, developed this information security quality standard.

Pharmacists work in both the realm of abstract problem-solving and also with patients and medications, and they should insist on being part of the IT security development process. Nearly every patient uses pharmacy services, and hundreds of patients we see each day could be affected by a security breach, even though it may occur miles from the pharmacy. IT specialists may not appreciate the waste of staff time and the damage to the pharmacy profession that occur when records are lost, not to mention the loss of privacy. Identity thieves even use health insurance fraudulently, which can further compromise the integrity of patient records.

Best practices in data management within facilities include encrypted e-mail, laptops programmed to erase their own hard drives after several unsuccessful logins, user-specific encrypted jump drives, Web-based systems, and scrupulous shredding of unneeded documents. These procedures protect systems and hard copies, but what about those people walking in and out of facilities?

A cyber crime investigator, formerly with the FBI, said most hackers manipulate people, not data. Temps who circulate among facilities and infiltrators dressed like maintenance people can penetrate the more casual security of outpatient pharmacies. The same investigator said leaders need to develop a contingency policy and statements before a crisis occurs, to protect their credibility as well as data.

How many of us are ready for a major loss of patient data? How can pharmacists help steer the development of policies and procedures? One health system trains clinicians from every department as systems analysts, working between IT and practitioners to train and troubleshoot. IT professionals are also oriented to patient care, strengthening understanding of issues common to the healthcare team, including the consequences of security breaches.

Pharmacists who have experienced the physical theft of drugs, by the public or by employees, may be better attuned to the realities of loss prevention than those who work in more sequestered areas. Those trained in outpatient facilities learn to watch for and prevent opportunities to intercept or misuse patient records. The public also constantly scrutinizes our handling of its information.

Analyzing security gaps, building a quality data protection policy and recovery plan, and carefully screening and training employees are essential activities for ethical pharmacists. Involving all professionals, including R.Ph.s, in security design will also help prevent an atmosphere of mistrust. We have far too much work to do for our patients to spend valuable time watching one another.

Disclaimer: This column highlights ethical situations that often occur in pharmacy practice. It is designed to stimulate discussion on how to deal with these situations and is not intended as legal advice. Pharmacists who need immediate assistance should consult their attorneys, employers, state boards of pharmacy, and state and federal laws.

THE AUTHOR has practiced long-term care and community pharmacy in Oregon for more than a decade and has served on numerous professional and community boards.