More

Gerry Smith
Gerald.Smith@huffingtonpost.com Become a fan of this reporter
GET UPDATES FROM Gerry
 

Data Breaches Show Hospitals Not Ready For Shift To Electronic Records, Experts Say

Hospital Hacking

First Posted: 09/09/11 03:52 PM ET Updated: 11/09/11 05:12 AM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

As the federal government pushes to digitize health records, current security practices are inadequate to defend against a growing number of data breaches, experts say.

The latest security failure, which was reported Thursday by The New York Times, publicly exposed the medical records of 20,000 emergency room patients at Stanford Hospital in Pal Alto, Calif., on a public website for almost a year.

Stanford hospital spokesman Gary Migdol said the exposed data included patient names and diagnosis codes, but did not include credit card and Social Security numbers, which are commonly used in identity theft. Still, he said the hospital had offered free identity theft protection services and is investigating why the file was not protected by one of its contractors, Multi-Specialty Collection Services.

It was one of many recent data breaches to occur in the health care industry, highlighting lax cybersecurity measures taken by hospitals and their contractors, experts say.

"The health care industry has under-invested in security for years," said Bryan Cline, a vice president with the Health Information Trust Alliance, a nonprofit company that establishes privacy guidelines for health providers. "Now they're playing catch-up but it may take years for them to implement standards to adequately protect data."

Such breaches are not uncommon. Last September, New York-Presbyterian Hospital/Columbia University Medical Center said information, including 10 Social Security numbers, belonging to about 6,800 patients was accidentally disclosed on the Internet.

The loss of patient data comes as the federal government has paid doctors and hospitals billions of dollars in incentives to adopt electronic health records. Yet breaches like the one at Stanford Hospital show that many health care providers and their contractors have not taken basic security measures, placing patient data at risk of being exposed, experts say.

"This is happening everywhere," said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. "We're beginning to see the consequences of a lack of adequate enforcement and a lack of significant effort to establish meaningful safeguards."

For financial reasons, some hospitals have not installed firewalls on their computers or have failed to use encrypted USB drives, which are often lost or stolen because they are small, Cline said. In addition, they rely heavily on outside contractors or subcontractors who often don’t take adequate measures to protect data, he said.

Still, it is the hospital's responsibility to ensure that companies they contract with are protecting patient data, Cline said.

"They have to be sure that when they give that data to [contractors] they are taking reasonable security measures like training their people and having laptops that are encrypted," Cline said. "They should weed out folks who don't do it."

FOLLOW HUFFPOST TECH

As the federal government pushes to digitize health records, current security practices are inadequate to defend against a growing number of data breaches, experts say. The latest security failure,...
As the federal government pushes to digitize health records, current security practices are inadequate to defend against a growing number of data breaches, experts say. The latest security failure,...
Related News On Huffington Post:
 

More in Technology...


 
 
  • Comments
  • 65
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
Page: 1 2  Next ›  Last »  (2 total)
photo
SeptimusDSX
Always question the obvious.
101 Fans
10:34 AM on 09/10/2011
A possible solution would be to cut back on the paperwork required to get treatment.
Permalink  |
professor
347 Fans
02:27 AM on 09/10/2011
I am sorry. You people are so divorced from real life you have no idea what is going on out there. Don't give me some technical gobbledegook. In most hospitals, and almost all longterm care faciliites, read old folks' homes, where you are going, my friends and my foes, count on it, nurses are overwhelmed with the effort of typing endless stuff into computers on these little carts in the hall, while people who need help are languishing in the rooms. If this doesn't sound familiar, go to an old folks' home and hang out there for a while, and try to find someone who is unintimidated enough to talk truth to you. Typing on the computer in the hall means the patient can go to . . .
Permalink  |
photo
judbay
2 Fans
05:33 AM on 09/10/2011
I agree.
Permalink  |
photo
Bryce Miller
17 Fans
12:08 AM on 09/10/2011
Need to get the reporting right on this one. This was not a breach. A breach requires an act of breaking into a secure system. This is a simple case of hospital negligence or incompetence. Let's punish the hospital and not feed the public worries of a cyber boogeyman.

This may seem like a worthless point to make, but right now there is growing concern over security breaches that is quickly spiraling toward insanity, especially where defense affairs are concerned. When the Pentagon thinks that they can dictate policy to the American people and recommend missile strikes in response to an electronic attack, we need to make sure that a breach is in fact a breach.
Permalink  |
This user has chosen to opt out of the Badges program
Endora
38 Fans
12:47 AM on 09/10/2011
It's still a breach. It can but doesn't have to mean that it was purposefully created. The hospital failed, in this case, to keep patient information private by not monitoring the activities of its subcontractors. The public, of course, SHOULD be concerned about breaches due to negligence/incompetence that exposes private medical records.

noun /brēCH/ 
breaches, plural

An act of breaking or failing to observe a law, agreement, or code of conduct
- a breach of confidence
- I sued for breach of contract

A break in relations
- a sudden breach between father and son

A gap in a wall, barrier, or defense, esp. one made by an attacking army

verb /brēCH/ 
breached, past participle; breached, past tense; breaches, 3rd person singular present; breaching, present participle

Make a gap in and break through (a wall, barrier, or defense)
- the river breached its bank

Break or fail to observe (a law, agreement, or code of conduct)

(of a whale) Rise and break through the surface of the water
Permalink  |
photo
Bryce Miller
17 Fans
02:19 PM on 09/10/2011
@Endora: In your attempt to project an enlightened and educated viewpoint you simply come across as hostile and arrogant. The point I was trying to make was that a breach is when someone gains unauthorized access to data in a secure system. According to the (lack of) security measures employed in this system, everyone had authorized access to the data. In other words, this was a data leak and not a breach. Even with the information you give above, this situation fails to meet the definition of a breach.

I work as an IT consultant and that work has included implementing Electronic Health Record systems. The healthcare industry, like many others, is struggling to keep up. Not just in technology, but also in language. Part of my job as a consultant is helping clients understand the differences among leaks and breaches, unintended users and unauthorized users. Each of these security concerns is the responsibility of the healthcare organization, but each requires a slightly different approach.

Finally, when you combine public ignorance with this growing sense of paranoia, you get a potentially dangerous situation. My concern is over the public's inability to distinguish between unintended and unauthorized access. Overreaction to these situations could very easily lead to more harmful laws or calls to war over security issues that may be of our own making. We must make sure we get that facts straight before we print such articles as this.

I must say Endora, you demonstrated my point brilliantly. Thank you.
Permalink  |
photo
HUFFPOST SUPER USER
ncconcernedcitizen
only a fool would take me seriously
418 Fans
 
10:04 PM on 09/09/2011
Methinks the bulk of people posting on this thread rake in the health care cash cow.
Permalink  |
bluejaykira
Vote Democrat to SAVE the American Dream
1265 Fans
07:20 PM on 09/09/2011
Not a good idea to eliminate hard copies in hospitals and other vital services!
Permalink  |
photo
Alan
138 Fans
07:13 PM on 09/09/2011
The real problem is that the country has not done much to address what happens to a person after they have had their personal information stolen. How do you restore your identity properly?

I have been sent three notifications from different entities, one government and two private businesses, that informed me that my information "may' have been compromised (separate incidents). They offer a year of credit monitoring if you desire, but what about after that? Your information is still out there and can still be used. One year is nothing.
Permalink  |
HUFFPOST SUPER USER
Stop-Your-Crying
33 Fans
06:25 PM on 09/09/2011
The Doctors and the Hospitals have not been able to corner the market for this service, ergo nothing has happened.
Permalink  |
photo
HUFFPOST SUPER USER
Gadgetman
No sense of humor just isn't funny
469 Fans
05:59 PM on 09/09/2011
Why should they be ready? They've only had about twenty years to prepare...
Permalink  |
HUFFPOST SUPER USER
ewb2001
58 Fans
05:51 PM on 09/09/2011
The Hospitals pocketed the billions paid by the feds. It was a total waste of money! The VA developed a Complete Comprehensive medical recordkeeping system that they offer FREE to anyone. Our local tax-supported hospital paid millions to a contractor to develop a system that could be had for free!
Permalink  |
photo
littlemike
44 Fans
05:47 PM on 09/09/2011
There's an easy fix. VERY stiff fines and possible jail time for these data breaches could be written into HIPAA. You would see the upper brass in hospitals suddenly sit up and take notice and all-of-a-sudden they'd be tighter than Fort Knox. It's just a matter of priorities.

"Depend upon it, sir, when a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully." Samuel Johnson
Permalink  |
photo
fuelie
233 Fans
05:13 PM on 09/09/2011
Kaiser Permanente has had a successful electronic record keeping system for years.
Permalink  |
photo
dwill123
flexing the "golden pipes" on the day's issues
515 Fans
05:59 PM on 09/09/2011
Most of them have some sort of electronic records system. The problem is that they won't interchange that easily. So you can't have your records at one hospital then go to another have them read your records and then update it. They're on different systems and can't talk to one and other.
Permalink  |
photo
fuelie
233 Fans
06:09 PM on 09/09/2011
Good point that points to the need for standardization.
Permalink  |
This user has chosen to opt out of the Badges program
Endora
38 Fans
12:54 AM on 09/10/2011
They also subcontract work on records to outside firms.
Permalink  |
photo
HUFFPOST SUPER USER
1kant2
166 Fans
04:56 PM on 09/09/2011
It is hard to generalize, but I work at a hospital and have for many years as a nurse.
1. Perhaps people do not realize how hard a time hospitals are having because of the bad economy. Do not let neo-con scare tactics blind you. Hospitals are loosing record amounts of money in charity care. Remember, it is federal law that everyone who shows up to the hospital will be treated regardless of their ability to pay (which it should be). With record unemployment, healthcare costs through the roof, and record numbers of uninsured people who use the ER for all medical care (what choice do they have), they get it and when they do not pay their bill, that means the hospitals have to eat it. In poor districts, hospitals are starting to go out of business all over America.

This will only get worse until we figure out that it is not a good idea to let drug companies, insurance companies, etc. dictate prices and go to a single payer system. We will either figure that out soon, or their will be a nationwide crisis in the longer term future when the majority of Americans do not have healthcare and the entire system goes bankrupt. There is absolutely no reason that we should be paying 200 dollars for an inhaler that costs 5 cents in cuba.
Permalink  |
SeriousBlack
281 Fans
05:41 PM on 09/09/2011
"There is absolutely no reason that we should be paying 200 dollars for an inhaler that costs 5 cents in cuba. "

Oh sure there is. Gotta make sure those private health insurance company CEOs get their multi-tens-of-millions-of-dollars salaries and platinum parachutes (for doing nothing except sticking out their grubby hands in between patients and providers - they're no better than mob thugs extorting protection money from store owners).
Permalink  |
photo
HUFFPOST SUPER USER
1kant2
166 Fans
05:52 PM on 09/09/2011
Remember, and pass on to everyone you encounter;

It is only this way because we allow it to be. Take control of our government and vote people in who will eliminate this!
Permalink  |
HUFFPOST SUPER USER
walsenberg
240 Fans
05:51 PM on 09/09/2011
I agree. I'm a retired RN and we need a one payer system. It is crazy the way our healthcare system is owned by the insurance companies and pharmaceutical companies.

I had hoped President Obama would have done more to a very broken system. I understand that he had an uphill battle. However, he won by a majority and should have pushed for a one payer/socialized system. I laugh when the right calls him a commie, socialist, etc. If anything, he is not radical enough for me.

It is all about the money. You folks on the right just don't get it. For every story the right pulls out about a sob story from Canada or England there are 100 success stories they don't tell you about.

Just look at the commercials the pharmaceuticals throw at us CONSTANTLY on Tv. It's enough to make one sick. They want us to take every imaginable pill for every thing. They want us on lipid lowering drugs, drugs to make us all zombies with a happy dull little smile. It is disgusting. Nothing like every man, woman and child BUYING a drug. Talk about DRUG dealers.

Why do you think the pharmaceuticals aren't so into products that are not "sexy". Why do you think we had a tetanus shortage a few years back? NO money to be made, that is why.

For those on the right who buy into all the corporate clap trap, good luck...
Permalink  |
This user has chosen to opt out of the Badges program
photo
Mia Nodecker
287 Fans
04:49 PM on 09/09/2011
Maybe the hospitals should hire people who have an It background and pay them above minimum wage for their medical records department. That is start at solving the problem... but no they won't because it will cut into hospital corporations profits.
Permalink  |
SeriousBlack
281 Fans
05:44 PM on 09/09/2011
Plus even if they DID want to do something like that, nowadays they'd just offshore that I.T. work to India (with even MORE severe security implications).
Permalink  |
This user has chosen to opt out of the Badges program
Endora
38 Fans
12:57 AM on 09/10/2011
A lot of it is off-shored. Indians already work on American medical records.
Permalink  |
photo
HUFFPOST SUPER USER
Franciscodeflores
Veterans for Peace Member
306 Fans
04:48 PM on 09/09/2011
The VA has been using electronic records for years with great success. If the Federal Government wants a model to use, they have one of their very own.
History  | Permalink  |
HUFFPOST SUPER USER
ewb2001
58 Fans
05:53 PM on 09/09/2011
The VA offers the system to anyone for free!
Permalink  |
photo
Jack Swalley
48 Fans
04:42 PM on 09/09/2011
Funny about incentive.
If there is none, like competitive or technical advancement, well nothing happens.
Permalink  |
Page: 1 2  Next ›  Last »  (2 total)