As the country begins the full implementation of the Affordable Care Act, which coincides with the government effort to digitize medical records, it is disconcerting to note that the track record of government in data security is pretty awful. There has been a lot of news recently about the potential security vulnerability of the healthcare.gov web site, but that may be just a small part of a larger issue with healthcare data.
Easy access to a person’s healthcare data could have enormous benefits. Clearly, if you are brought unconscious into an emergency room you would want the doctors and staff to know everything about your medical history, what you are allergic to, what meds you are on, etc. Just as clearly, there is potential for abuse and serious security concerns.
According to a recent study by the Ponemon Institute study, a staggering 94% of healthcare organizations have experienced a data breach in the last 2 years. In April of last year, the Utah Department of Technological Services reported that 780,000 Medicaid patient claims records were stolen by a hacker operating out of Eastern Europe. The breach was blamed on a mis-configured test server deployed with a weak password. In the same month it was reported that a former state employee in South Carolina had stolen 228,000 Medicaid participants’ personal data records. He was caught sending the data by email!
The remarkable thing about most data breaches is that they are utterly preventable. A study last year by HIMSS Analytics and Kroll Advisory Solutions said that when health care data breach victims were asked what factors contributed to the breach:
* 45% cited a lack of staff attention;
* 31% cited the use of mobile devices to store health information; and
* 28% cited the sharing of health information with third parties.
These factors can be closely related. The lack of staff attention to the subject of data security can contribute to the misuse of mobile devices and unnecessary data sharing. The age of mobile computing and BYOD is challenging for all organizations and health care data is a particularly rich target. All it takes is a momentary lack of attention and a laptop can disappear. Just last week we learned that 4,000 patient records from the Oregon Health and Science University were compromised because a surgeon lost his laptop while on vacation.
According to a Verizon study in 2012, most data breaches occur because the victims did not do the basics and obvious steps to protect their data. All computers that connect to an organizations network need to have Antivirus scanning and a personal firewall. A significant problem is that many small and medium organizations simply do not view every “end point” computer as a network computer. Most significantly, many retail operations do not apply antivirus and firewall protection to point of sale systems.
I have no doubt that health care organizations are equally lax with the many new devices used in medicine that communicate across networks. They would be wise to take advantage of end point management software that manages security software and ensures updates are correctly applied.