• Français
  • English

2015/08/03Healthcare Data Security: ‘I’ Well Before ‘C’ [by Cédric Cartau, CISO of Nantes Hospital]

Let’s conduct a fun little experiment. Your name is Michel Jaury. At 9:00 a.m., you walk into your bank branch. The bank teller politely asks how he may help you. You proceed to tell him that six months ago, you opened — by mistake — another account at this branch, but — again, by mistake — under the name of Miguel Raujy. A regrettable mistake, especially since you’ve been carrying out transactions for six months: transfers, card payments, stock market operations, etc. If the teller would be so very kind as to transfer all these operations by merging them with your real account — under the name of Michel Jaury — you would be ever so grateful. Of course, you don’t wish to close your old account and transfer the balance to your real account. No, no. All you want is to merge the two accounts, taking into account your minimum balances, certain operational integrity constraints, etc. To add spice to the mix, you go back to the same agency the next day to report that the accounts were actually merged by mistake, and must be split and put back the way they were.

This situation is unthinkable in the world of banking, as well as in the telecom and insurance sectors. Yet, it is very common in the world of healthcare: at a medium-sized university hospital in France (with around 8,000 employees), there are an estimated 30 to 50 account mergers per day: a single patient is known under two different identities, thus making it necessary to merge their records of examinations, allergies, etc. The reason? Human error in entering identity data, blind creation of identities for patients unable to give their names, social security card errors (very common), names that are difficult to spell, etc. And every day, there are also two to five splits (two patients erroneously known under the same name) or de-mergers (cancellations of mergers done by mistake). No classic CRM (customer relationship management) system is able to take such constraints into account.

Why is this? Because, at a bank branch, people usually arrive standing on their own two feet and possessed of their physical and intellectual capacities. And because, at a bank branch, most of the time the same customers come in, and employees identify them very quickly. All the same, it is fortunately rare that you can withdraw cash at the counter without the staff being certain of your identity, whether they recognise you or ask to see an official document.

In a hospital, some people do not arrive standing on their two feet: they may be having an emergency, in a coma, etc. Some people are unable to give their identity: perhaps they are newborns, patients with Alzheimer’s disease, foreigners on holiday who do not speak the language, victims of major accidents, etc. Some people are no longer alive: they may have drowned, committed suicide, been recovered from the nearest river, etc. Some people are no longer whole: they may arrive as donor organs awaiting transplant or pieces of a corpse about to undergo an autopsy. Finally, some patients are not even human: the laboratories at a university hospital perform blood tests for a number of local veterinarians, and it is not quite enough to identify a dog as ‘Fido’ or ‘Spot’.

Yet, despite all this, the patient must be identified and linked to a unique existing or newly-created record, with certainty and minimum risk of error. It is necessary to assign an identifier (PPI, or permanent patient identifier), without which it is very difficult to perform blood tests: a clinical chemistry laboratory at a university hospital analyses 6,000 to 10,000 tubes per day. This is more like an industrial activity, with the tubes identified by bar codes linked to the PPI of the patient from whom the blood sample was taken. One mistake can be very costly: the wrong type of insulin could easily kill a diabetic person. In other words, in order to manage the large numbers of patients who visit the hospital or the A&E department every day (200 to 500 people at a university hospital in France), it is crucial to identify them with certainty, link them to a patient record, be aware of their medical history, etc. Certainly, it is possible to redo all a patient’s examinations in case of doubt, but then the patient’s medical history (Are they in treatment? Have they taken their pills? Are there drug incompatibilities?) is unknown. This represents a lost opportunity in the care process: several hours are lost, and in life-threatening emergencies, every moment counts.

The field of identity vigilance (IV) consists of enacting regulations for entering names in a uniform manner in a patient record, assigning a stable PPI and rooting out errors in all the steps of the treatment chain. After 15 years in the world of healthcare, I am always frightened when I see that a new undocumented case is detected around once every three months: an elderly person has become a naturalised citizen and their social security card specifies a name different to the name on their identity card; a celebrity seeks anonymity but suffers from a disease in which it is best not to make dose errors, etc. Bar code wristbands are an improvement, but recently, in the paediatrics department at my institution, a family with twins (two boys around six years old) was in the waiting room waiting for the children to undergo some examinations. The somewhat unruly twins found nothing better to do to entertain themselves than swap wristbands out of their parents’ sight. The healthcare staff became aware of the swap only at the last moment.

The French national press regularly reports on security incidents leading to the disclosure of patient records on the Internet. In one of the latest incidents, the results of 11 patient tests from the LABIO laboratory were released online. The authorities took offence and seemed to believe that in the world of healthcare, confidentiality is the number-one concern. In fact, this is not true. There are some areas in which confidentiality is the number-one concern: all anonymity-related matters (these cases are defined by decree and include HIV testing, abortions, births under X, etc.) and medico-social aspects (e.g. psychiatry). But apart from these cases, which do not represent the majority, the number-one concern by far is integrity, whether that of patients’ identities or data entered in the systems.

In 2004, in the radiotherapy department at Hôpital d’Épinal, a new software was delivered for the PC that controlled the irradiation system. In this new version, one field had been changed: it had been expressed in ‘milli-units’, and was now expressed in ‘units’ (a thousand times more). The new version was perfectly documented, yet the institution did not set up the necessary procedures to describe the new version, inform the department staff, etc. End result: around 5,500 people were over-irradiated. Among them, 25 were severely over-irradiated, and five died.

In the world of healthcare, there have never been deaths owing to a lack of confidentiality. There have not been, but will be, deaths owing to a lack of availability (system failure). There have been, and will be, deaths owing to a lack of integrity. All these differences between the world of healthcare and other fields, such as banking, as mentioned above, are not really differences: each field possesses its own particular hierarchy of risks. When dealing with money, the biggest risk is losing it. This is neither good nor bad. It simply is. Similarly, when dealing with patients, the biggest risk is losing them. For this same reason, in the world of healthcare, emphasis is often placed on integrity, and confidentiality comes well after it.

The most confidential medical record in the world is the one that nobody has access to. When you are on holiday on the other end of France with your little one who suffers from haemophilia (4,000 cases in the country), and he falls and starts bleeding, what do you prefer: that the local practitioner have access to his medical record, even if it is open to a few too many people, or that he treat him blindly?