Interesting things have been happening in California since they changed their privacy laws this year. The latest being a $250,000 fine to Kaiser Permanente's Bellflower hospital for having “failed to prevent unlawful or unauthorized access to, or use or disclosure of a patient's medical information, as required by Section 1280.15 of the Health and Safety Code.”
Through California’s privacy laws a stronger business case is developing to implement identity authorization and access controls. Or is it? I mean when you read a quote like this and you are in identity management you get excited.
Dr. Deborah Peel, founder of Patient Privacy Rights Foundation in Austin, Texas, said new technologies should be used to prevent unauthorized workers from accessing data in the first place.
"Fines are a last resort and I'm sure they will help," Peel said, but unprotected patient information is "like leaving money in an unlocked room."
But when you break it down is it really creating a meaningful business case? Is it harsh enough that it is a call to action? At first $250,000 sounds like a lot and it is the maximum fine under the new California law. But Kaiser employs around 160,000 employees across 32 medical centers and makes about $38B (taken from Hoover’s public data for 2007). That’s an average of 5,000 employees per center and an average of $237,500 in revenue per employee. If you assume not all employees have access to medical files $250k puts you in the range of $100 per employee who has access rights. There are a lot of things you could do to save $100 per employee. Do you go to the trouble of implementing identity access control solutions which probably will cost much more than $100 per employee?
If you assume a risk your organization gets caught – in other words the chance you are taking by not putting in access control tools and employees still peek despite being told not to and are exposed – you are in the $5-$10 range per employee. Do you solve for something that would impact your organization at $5-$10/employee or do you prioritize something that saves more money per employee?
It is great this is happening but breaking the rules has to have meaningful consequences.
Posts
0 comments:
Post a Comment