VA facilities violate prohibition on using online tools to share patient data

The most recent incident involved the posting of patient information on Yahoo Calendar by the Chicago Health Care System’s Orthopedics Department, according to the VA’s monthly report to Congress.

According to the November report, the full names of over 1000 patients, along with their dates of surgery, types of surgery, and last four numbers of their social security numbers were placed on the Yahoo Calendar.

The Orthopedics Department has used the calendar to store patient information since July 2007. Residents were sharing the same user account and password to access the data, and the password had not been changed in three years, according to the report.

Access to the calendar was blocked on Nov. 24, a day after the VA discovered the incident, and the information was deleted Nov. 29. Notification letters were sent to a total of 878 patients. The VA did not indicate if any of the data had been lost or stolen.

"The government, by itself, cannot keep up with Yahoo, Google, Apple and others that are creating great applications for medical usage", Roger Baker, the VA’s chief information officer, was quoted by Federal Times as saying. VA is "spending a lot of time trying to figure out how to go from saying no to saying yes for these kinds of apps."

The VA prohibits patient information from being stored on systems outside its firewalls. Baker said that the VA is looking at ways to bring online tools inside the firewall. The tools would have to meet Federal Information Security Management Act certification levels, he stressed.

What’s Hot on Infosecurity Magazine?