Protection of PHI – Why we must pay attention to the internal threat.

Posted on August 11, 2014

By Christine Ross

A few years before Canada and the USA had enacted privacy legislation, I was working at an IT services company as a software developer customizing, implementing and supporting patient management systems for hospitals.  I had been with the company for a couple of months when my director stopped by my desk to introduce himself and welcome me to the company.  I was surprised that someone three levels above me in the company would even know who I was, let alone take the time to stop by for a chat…

Protection of PHI

After a little small talk, he asked if I could show him one of the systems I was working on.  Eager to impress him, I launched one of the test systems and showed off my newly acquired application knowledge.  As he scanned the patient names he commented that “Mickey Mouse” and “Donald Duck” didn’t look like real patients and asked if I could show him a live system.  Even though no privacy legislation required it, my company had trained me in the importance of confidentiality.  Being young and inexperienced, I didn’t know how to say “no” to my director, so I lied and told him that I didn’t have access to any live systems.  He thanked me and left.  I later found out that he was testing me.

I’ve told this story to a few colleagues over the years and many believe it is wrong for a company to put a new employee in such a difficult position.  While I admit it was an uncomfortable few minutes for me, that incident had a profound effect on me and I’m thankful for a lesson that will last a lifetime.  I gained a true appreciation for how easily internal breaches of confidentiality can occur.  I also recall being terribly impressed that someone so far removed from the day to day work cared enough about the confidentiality of our customers’ data that he would take it upon himself to test new employees.  Today we have privacy legislation and standards to guide us in how to keep protected health information secure and most companies invest a lot of resources in the protection of their systems and data from external threats.

Do we remember to give internal security measures the same degree of diligence?

Do we train our employees regularly on security practices?

Do we ensure our executives demonstrate visible support for our security programs?

Do we test ourselves?

If not, we may find ourselves in the same unfortunate circumstances as the UC Medical Center.  What happened to them could easily happen to any organization.


Christine Ross is the Compliance Manager and Privacy Officer at Intelligent Hospital Systems Inc. – designer and manufacturer of RIVA a Fully Automated IV Compounding System

Blog | Regulatory | Security