mailing list archives
4 Things to Know About Health IT Security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 4 Mar 2014 17:57:17 -0700
As health records move from being paper-based to totally electronic,
concerns around the security of patient information are growing in the
health information technology (IT) world.
In fact, security was one of the major topics here at this week's
Healthcare Information and Management Systems Society (HIMSS) annual
A person's health information is worth 15 to 20 times more than financial
information, said Robert Wah, MD, president-elect of the American Medical
Association and chief medical officer for CSC, a health IT company in Falls
A stolen credit card can be cancelled, but a medical record contains much
more rich data and information about a person -- family history, financial
information, of course, medical history.
"It's easier for identity theft to take place from a medical record that's
not secure than it is from a financial record because they tend to be
locked down a little better," Lisa Gallagher, who heads up privacy and
security at HIMSS, told MedPage Today. "Hackers and other perpetrators have
moved to trying to get it from the medical record."
Here are four things physicians should be aware of as the debate continues
about the security of digital health information.
1. The Opportunity for Theft Is Growing
"We have medical devices on the network that have operating systems that
are getting hacked," Gallagher told MedPage Today. "We have the use of
mobile to access data or transmit data which is an insecure way to do
The security threat associated with health IT is growing.
Meanwhile, there is a lot of regulatory pull from other directions on
providers, so resources and attention to focus on this are scarce. For
example, a survey of hospital and large physician practices presented at
this week's HIMSS meeting showed that organizations continue to spend just
3% of their overall IT budgets on security.
That's an area of concern for Gallagher as it's low relative to other
2. Your Employees Are Your Own Worst Enemy
The HIMSS security survey found that organizations' biggest concern was
about their own employees accessing patient information they shouldn't be.
Such inappropriate employee access is considered a breach by federal
"Implementation is such that you can't segment a nurse on the floor from
only looking at her patients' data," Gallagher said. "They have access and
are able to look at someone else's record."
Providers hear this is a problem but have trouble preventing it.
3. Violators Must 'Fess Up
Federal law requires providers who violate patient privacy and security to
notify each individual that such a violation has occurred. That might
damage the physician-patient relationship.
HHS posts the names of providers whose security breaches top 500
The list is dubbed the "Wall of Shame" and is now available in a searchable
format. Nearly 900 providers and organizations currently reside on the
"Wall of Shame."
4. An Insurance ID Is a Valuable Thing
As the cost of healthcare continues to rise and the need to obtain coverage
becomes greater, Gallagher said perpetrators of identity theft are more
likely to use someone's personal identity and coverage information as a way
to pay for healthcare.
Gallagher shared the story of a friend whose wallet was stolen, her health
insurance card with it. A couple of months later, someone showed up at the
emergency room and used her friend's identity to get care for a child.
The hospital didn't detect the fraud, and Gallagher's friend was billed for
the emergency visit that wasn't hers.
"Now you have data being put into someone's record that is there for
someone else, and they've compromised the integrity of the medical record,"
Gallagher said. "There's no process to fix it. Their policy is you don't
extract data from a medical record because it's a legal record."
The daughter of Gallagher's friend has a compromised medical record. HIMSS
is trying to raise awareness of this to have providers be more able to
detect this activity.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- 4 Things to Know About Health IT Security Audrey McNeil (Mar 14)