As the federal government pushes to digitize health records, current security practices are inadequate to defend against a growing number of data breaches, experts say.
The latest security failure, which was reported Thursday by The New York Times, publicly exposed the medical records of 20,000 emergency room patients at Stanford Hospital in Pal Alto, Calif., on a public website for almost a year.
Stanford hospital spokesman Gary Migdol said the exposed data included patient names and diagnosis codes, but did not include credit card and Social Security numbers, which are commonly used in identity theft. Still, he said the hospital had offered free identity theft protection services and is investigating why the file was not protected by one of its contractors, Multi-Specialty Collection Services.
It was one of many recent data breaches to occur in the health care industry, highlighting lax cybersecurity measures taken by hospitals and their contractors, experts say.
"The health care industry has under-invested in security for years," said Bryan Cline, a vice president with the Health Information Trust Alliance, a nonprofit company that establishes privacy guidelines for health providers. "Now they're playing catch-up but it may take years for them to implement standards to adequately protect data."
Such breaches are not uncommon. Last September, New York-Presbyterian Hospital/Columbia University Medical Center said information, including 10 Social Security numbers, belonging to about 6,800 patients was accidentally disclosed on the Internet.
The loss of patient data comes as the federal government has paid doctors and hospitals billions of dollars in incentives to adopt electronic health records. Yet breaches like the one at Stanford Hospital show that many health care providers and their contractors have not taken basic security measures, placing patient data at risk of being exposed, experts say.
"This is happening everywhere," said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. "We're beginning to see the consequences of a lack of adequate enforcement and a lack of significant effort to establish meaningful safeguards."
For financial reasons, some hospitals have not installed firewalls on their computers or have failed to use encrypted USB drives, which are often lost or stolen because they are small, Cline said. In addition, they rely heavily on outside contractors or subcontractors who often don’t take adequate measures to protect data, he said.
Still, it is the hospital's responsibility to ensure that companies they contract with are protecting patient data, Cline said.
"They have to be sure that when they give that data to [contractors] they are taking reasonable security measures like training their people and having laptops that are encrypted," Cline said. "They should weed out folks who don't do it."