Liability

[dalek]

What is it with all of this assuming (Ass U Me), no professional should assume anything, there are procedures put in place, especially in a Hospital Enviroment (it's called PYB, Protect Your Butt).

First of all, why a Dr would be concerning himself with a computer when he has trained staff (Nurses) to do it for him, prior to looking at the patient is beyond me.(most info is fed to the Dr by Nurses)

If the Hospital in question has all of it's i's dotted and it's t's crossed, there will be SOP's for this particular scenario (Standard Operating Procedures).

So if the patients records are unavailable or do not exist and the patient is not wearing a Med Alert or is incoherent, then I am pretty damn sure there is a back up plan for all eventualities. Doctors are not that lame that,because the information was not available they would administer any type of drug on a whim or prayer, keeping their fingers crossed that the drug will be okay

Depending on the type of injuries sustained,or other problems (Heart related) this will determine the course of action by the Medical Staff, if it is heart related and is life threatening then I am sure that with even the possibility that this patient has "unknown" allergies to certain meds that it is taken into consideration when applying life saving medicines, so much so that they will probably do the err on the side of caution routine which may be to get the patient on life support and run some tests if they can before they administer the heavy drugs.

As to obvious physical injuries, the extent of the injury will determine the proper procedures, required also.

In other words, I would say the Medical staff would not be culpable, for the patients demise due to insufficent information available or provided.

It would be placed on the Administrators responsible for the care of patient records, and if the IT staff were negligent in ensuring the security of very highly confidential material, then (Sh*t rolls downhill).

[steve.milner]

The original point of this thread was to look at some scenarios, to discuss the finer points the liability in those scenarios.

In my opinion the real medical world would not work like that, but discussion of this I think is detracting from an interesting debate.

For those wishing to get into the finer medical details, I have started a thread in cosmos if anyone is interested:

http://www.antionline.com/showthread...hreadid=271451

[steve.milner]

There are two issues in this debate I think are worth considering.

Firstly there is criminalty and individual incompetance and secondarily there is corporate negligence leading to liability.

The criniality is as it says, and those who perform criminal acts can expect to be treated accordingly by the law.

Personal incompetance may or may not have liability depending on the demonstration of negligence.

The test would based on what a reasonable person, would do. Would a resonable person be expected to protect their machine?

However the health service has a responsibilty to take all reasonable care to protect its information:

Originally posted here by Soda_Popinsky

3. Alice's machine exploits the First National Hospital's database in an unfirewalled, unpatched, unsecured network service. The service did not need to be public.

I would suggest that no care has been taken here and few people would argue that they had taken reasonable care.

Hence I suggest that the First National Health Service is responsible

Steve

[catch]

but you can't tell me what your interpretation of that one sentence is?

"Patient dies from allergic reaction to meds after Doctor can't access patient records."

I understand this to mean:

A doctor was unable to access patient records.
Some amount of time passes.
A patient died from an allergic reaction to some medication or combonation of medications.

Everything else, including the doctor and patient even having a relationship is assumption. Given the informaion we have the doctor cannot possible receive any liability, we don't even know if the doctor that couldn't access the medcal records was the same doctor that treated to patient.

All we do know, is that somewhere along the lin someone in the Hospital administration failed to properly enforce the security policy for the network. We do not know if this was an inside job like a sysadmin angry with the hospital who exposed the network or if this was a general failure down the chain. We don't know if some Admin executive was cutting corners... all we know is that the database was improperly exposed.

Some doctor couldn't access records, and some patient died.

Beyond all that we are just guessing... maybe the doctor had been seeing that patient for 20 years and should have known about the allergy, maybe the patient didn't know about the allergy, maybe no records were availible in the first place... this is all guessing. And this is where you and I seem to differ... in that I would be unwilling to send someone to jail over a guess.

cheers,

catch

[Negative]

Hah. So maybe the patient database that was dropped by Mallory wasn't First National Hospital's (since it doesn't say that, and I'm not allowed to make any assumptions, no matter how implied they are) - maybe it was a Rumanian mental hospital's database...

And maybe Alice (the one whose machine exploited the First National Hospital's database) is not the same Alice as the one whose computer got compromised by Mallory (since it doesn't say that either) - maybe Alice (the one whose machine exploited the FNH's database) is a 60-year old Texan grandma, while the other Alice is nothing but an imaginary friend of yet another Alice (who has been locked up in a Rumanian mental hospital ever since she was born because of some disorder only found in Rumanians).

And, of course, "Johnny writes a worm that eventually compromises Alice's machine" does not imply that Alice's machine (the one that exploited the FNH's hospital database) got infected by the worm that Johnny wrote. It could very well be (but let's not assume here - implied meanings are good for nothing, after all) that Johnny has a pet worm (probably named Mallory) that went to visit with Alice (the alter ego of the real Alice in Rumania) - Johnny then decided to write his worm a nice letter so it wouldn't feel home sick. The worm then is so touched by Johnny's gesture that it jumps from joy and accidently unplugs ("compromises" in medical terms) Alice's breathing aid, actually causing Alice's death...

But let's not assume anything.

I understand this to mean:

A doctor was unable to access patient records.

But dear sir! That's not what it says! Do not assume - we all know what that can lead to! The OP clearly states "[...] after Doctor can't access patient records." Doctor! Not "a doctor"! Doctor is the name of the worm! After Doctor compromised Alice's breathing aid, it was kicked out of the mental hospital by armed guards - hence why it wasn't able to access patient records (who knows why it wanted to do that).

And this is where you and I seem to differ... in that I would be unwilling to send someone to jail over a guess.

I'm not wanting to send anyone to jail over a guess.
IF my assumptions (which are, imo, reasonable assumptions) are true, THEN there definitely is a case.
IF YOUR assumptions are true (which are also reasonable, but also assumptions nonetheless), THEN there is no case. It's simply as that, and has been from the beginning.

[bballad]

Negative, Catch. I worked in a HIPPA enviroment. Someone had to sing off on the fire wall and the network...somewhere there are SQ and SOP deaining with the security and network configuration of this envoroment. There would be an investigation (I have been through a fe...not ealign with anyone dieign but some minor compliance violations.). One of three things would be found, either the softwear faild (if the IPS/FIrewall?antivirus faild to catch the worm for whatever reason.) in which case the hospital may well sue the softwear provider to recoup costs of the malpractise suit it gets hit with. Or the softwear was installed/configured improperly, then the guy whos signature and initals are all over the SQ/OQ is in deep ****...he signed off that he did every step in the document...if a step was skiped or missed...well at minimum thats fraud at a federal level. The last possability is that the SQ/OQ was faulty then the architects are in trouble for haveing missconfigured apps to begin with.

The doctor will be hit with malpractice but unless he knew hat what he was doing would harm/kill the patiant he is sheilded from any further criminal charges.

Again my knowladge of hippa dosn't come from reading the doumnts (I did spend two days in class\seminars going over all of the HIPPA documents that relate to IT thogh). Or talking to administrators at a hospital, I was an applications intagration engineer (a combination of a systems archetect and application engineer for that compnay) At a Major pharma for a few years, every thing I did, every system I touched had HIPPA implications, I lived and breathed the regulations for two years..HEll I had auditors threatn me with fraud and jail time for useing the wrong pen, I had to argue with review boards to show that winzip didn't pose a compliance violation. I know what I am talking about.