Medical Data Breaches Put Patients at Risk

Doctors can’t cure the common cold and health care IT managers apparently can’t stop the common data breach.

Twenty-one of the 101 of the breaches tracked so far this year by information security group Attrition.org occurred at health care organizations.

For example, insurer WellPoint said in early April that lax security on two servers run for it by a vendor likely exposed on the Internet some personal and medical data for 128,000 patients.

MORE ON CIO.com

Paper Proves Resistant to Electronic Medical Records Cure

HIPAA May Have Privacy Loophole

Trouble Complying with HIPAA

Also in April, New York Presbyterian Hospital notified 40,000 patients that their personal information, including names, phone numbers and some Social Security numbers, were stolen, possibly by a hospital employee. A federal investigation and internal audit are underway.

Whether on paper, as so many medical records remain, or electronic, health care data must be protected according to state and federal regulations. But just because health care staff say they know the rules doesn’t mean that information is safe, concludes a new survey from the Healthcare Information and Management Systems Society (HIMSS), a nonprofit professional group for IT managers. The group, with security consulting firm Kroll, polled 263 chief security officers and managers of IT and of health care information.

For example, 75 percent of respondents gave themselves the highest rank possible when it comes to familiarity with HIPAA: 7, on a scale of 1 to 7. The Health Information Portability and Accountability Act, or HIPAA, governs whether and how patient data may be seen and by whom.

HIPAA compliance proves difficult in itself for the organizations that must follow those rules. Early this year, the National Institutes of Health had a laptop stolen, containing patient’s private information, from an employee’s car. In January, Fallon Community Health Plan announced a laptop being used by one of its vendors was stolen and it, too, contained patient data. In reporting those incidents to the public, each said how they “regret” the thefts. While these organizations offered credit monitoring to affected patients, many companies leave identify theft victims to fend for themselves.

What It Takes to Follow Through on Security Rules

Getting employees and contract vendors to follow corporate security policies requires cajoling and sometimes a bit of drama, says John Hummel, chief technology officer at Perot Systems’ health care services group. Hummel has also been CIO at Sutter Health> and at the organization that oversees health care in California’s state prison system.

At Sutter, Hummel found that the various clinics and hospitals the company had acquired over several years “had HIPAA rules and IT policies that were, for the most part paper tigers,” he says.

“It was a lot easier to say we had a policy on passwords or shared accounts than it was to accept the reality of what was common in practice,” he says. Employees shared passwords and used easy-to-break ones, he says.

So Hummel put four of his certified information systems security professionals (CISSPs), two of whom were certified in computer forensics, on an internal white-hat hacker team. He took the group to Sutter’s board meetings and other executive meetings to demonstrate how permeable Sutter’s password practices were.

“My hackers would break any password they could come up with in less than five minutes,” he recalls. These one-act plays helped Hummel get extra money for security tools and training, he says. “Ah, the politics of the CIO’s world.”

In its survey, HIMSS found that most health care organizations, the emphasis is on protecting data privacy and not preventing or detecting fraud perpetrated with that data. Among the 34 survey respondents who admitted having been breached, almost half didn’t notify their patients and about as many indicated that “reprimanding the employee” is an effective response to the incident. See the full survey here.

Reprimands, however, do little when crime is the intent.

Electronic Data Systems and Tenet Healthcare are both dealing with the aftermath of former employees having taken patient data to commit identify theft. A one-time EDS employee pleaded guilty in February to conspiracy to defraud the U.S. government via false Medicaid claims. A former employee in Tenet’s Texas billing center who had access to data on 37,000 patients pleaded guilty to identity theft in January.