BreachExchange mailing list archives
4 Things to Know About Health IT Security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 4 Mar 2014 17:57:17 -0700
http://www.medpagetoday.com/MeetingCoverage/HIMSS/44536 As health records move from being paper-based to totally electronic, concerns around the security of patient information are growing in the health information technology (IT) world. In fact, security was one of the major topics here at this week's Healthcare Information and Management Systems Society (HIMSS) annual conference. A person's health information is worth 15 to 20 times more than financial information, said Robert Wah, MD, president-elect of the American Medical Association and chief medical officer for CSC, a health IT company in Falls Church, Va. A stolen credit card can be cancelled, but a medical record contains much more rich data and information about a person -- family history, financial information, of course, medical history. "It's easier for identity theft to take place from a medical record that's not secure than it is from a financial record because they tend to be locked down a little better," Lisa Gallagher, who heads up privacy and security at HIMSS, told MedPage Today. "Hackers and other perpetrators have moved to trying to get it from the medical record." Here are four things physicians should be aware of as the debate continues about the security of digital health information. 1. The Opportunity for Theft Is Growing "We have medical devices on the network that have operating systems that are getting hacked," Gallagher told MedPage Today. "We have the use of mobile to access data or transmit data which is an insecure way to do things." The security threat associated with health IT is growing. Meanwhile, there is a lot of regulatory pull from other directions on providers, so resources and attention to focus on this are scarce. For example, a survey of hospital and large physician practices presented at this week's HIMSS meeting showed that organizations continue to spend just 3% of their overall IT budgets on security. That's an area of concern for Gallagher as it's low relative to other industries. 2. Your Employees Are Your Own Worst Enemy The HIMSS security survey found that organizations' biggest concern was about their own employees accessing patient information they shouldn't be. Such inappropriate employee access is considered a breach by federal regulators. "Implementation is such that you can't segment a nurse on the floor from only looking at her patients' data," Gallagher said. "They have access and are able to look at someone else's record." Providers hear this is a problem but have trouble preventing it. 3. Violators Must 'Fess Up Federal law requires providers who violate patient privacy and security to notify each individual that such a violation has occurred. That might damage the physician-patient relationship. HHS posts the names of providers whose security breaches top 500 individuals. The list is dubbed the "Wall of Shame" and is now available in a searchable format. Nearly 900 providers and organizations currently reside on the "Wall of Shame." 4. An Insurance ID Is a Valuable Thing As the cost of healthcare continues to rise and the need to obtain coverage becomes greater, Gallagher said perpetrators of identity theft are more likely to use someone's personal identity and coverage information as a way to pay for healthcare. Gallagher shared the story of a friend whose wallet was stolen, her health insurance card with it. A couple of months later, someone showed up at the emergency room and used her friend's identity to get care for a child. The hospital didn't detect the fraud, and Gallagher's friend was billed for the emergency visit that wasn't hers. "Now you have data being put into someone's record that is there for someone else, and they've compromised the integrity of the medical record," Gallagher said. "There's no process to fix it. Their policy is you don't extract data from a medical record because it's a legal record." The daughter of Gallagher's friend has a compromised medical record. HIMSS is trying to raise awareness of this to have providers be more able to detect this activity.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- 4 Things to Know About Health IT Security Audrey McNeil (Mar 14)