Are my dog’s medical records protected by HIPAA? I couldn’t help but ask myself this question as I stood at the check-in desk at my veterinarian’s office this past weekend and noticed that a userID and password were clearly visible on a post-it note, stuck to the countertop just beneath a computer monitor.
Even upside down, the little yellow square piece of paper was easy to read — and even easier to remember given the simplicity of the chosen username and password. It wasn’t quite “user” and “password123” but it was pretty darned close. My dog could have probably guessed it.
Duncan the Dog started making that gagging sound again. He must have found some forbidden scraps from the Thanksgiving feast a few days before, and he was clearly feeling sick. I felt a little nauseous, too, when I realized the credit card processor was attached to the computer with the post-it note. I’d be swiping that thing a little later, no doubt, and I wondered how many other dog-dads and cat-ladies may have taken note of the login credentials. How do you spell PCI-DSS?
A colorful sign hung nearby, asking for my patience as the staff was learning a new computer system. I told the nice person behind the counter that I worked in IT and asked about the new computer system. It finally brings the records and billing systems together, she explained, and then she told me the name of the new software product.
I glanced down again at the upside down post-it note and saw that the userID and password were labeled with the name of the product she’d just told me about.
I wondered how quickly I could log in to the vendor’s website and see my dog’s records. Or maybe change the balance in my account. Not that I’d actually do that. But someone might.
And so ends this friendly reminder that writing down passwords and sticking them to your desk is not a good idea. The time you might save by using this kind of shortcut in a busy workplace can quickly be offset by a crippling systems breach or PCI compliance violation that originated with your little sticky-note.
We all do it, and it’s just not worth it.
(And it turns that, yes, animals have a HIPAA privacy equivalent. Check it out: https://www.avma.org/Advocacy/StateAndLocal/Pages/sr-confidentiality-patient-records.aspx. Who knew?)
Anyway, I have to go back to the vet this week for a follow up visit, but Duncan the Dog is already feeling better, FYI. And when I do go back, I plan to talk with the office manager — discreetly and as nicely as possible — about my cybersecurity observation.
I hope they will accept my advice – and Duncan’s stool sample — in the spirit in which both are offered.
(Update: I called the vet this morning, we talked, and they appreciated the advice. I guess I’m not in the dog house.)