The inability of retail giants like Target and Neiman Marcus to protect customer data from an alleged foreign hacker got national attention recently. But when a large healthcare system experiences a security breach that puts the protected health information (PHI) of thousands of patients at risk, it is often the case that few outside of the industry ever hear about it.
While healthcare IT security breaches have been increasing over the past few years, they are being detected much more quickly.
Mac McMillan, co-founder and CEO of Austin, Texas-based consulting firm CynergisTek Inc. and co-chair of the HIMSS Privacy & Security Policy Task Force, sponsored by the Chicago-based Health Information & Management Systems Society, says a growing awareness within healthcare organizations and higher levels of security put in place between 2000 and 2014 have helped reduce the number of major breaches.
Although a number of the breaches now being reported are the result of lost or stolen mobile devices like laptops, tablets or smartphones, targeted attacks are on the rise. “There’s an increase in the use of malware looking for specific types of systems,” McMillan says.
Unfortunately, the adoption of newer technologies is putting more data at risk, he notes. “Healthcare has more information digitized now. Over 90 percent of patient information is in digital form.” That includes medical ID numbers, addresses, and medical history. “Patient information is more valuable now than credit card information,” he says. “If someone steals your medical identity, you can’t cancel your medical history.”
Typically, this type of identity theft is used to set up false claims so that the person can receive expensive medical care while the victim’s insurance company pays for it.
Leon Hoover, CIO of Hendry Regional Medical Center in Clewiston, Fla. points out that whatever care the thief received is also entered into the victim’s health record, which could result in non-payment by the insurance company if the identity theft victim ever had to undergo the same procedure.
Aside from the ease with which digital data can be compromised, are the emerging trends in managing and delivering IT services, McMillan says. These include cloud services, mobile apps, social media, texting and the use of third-party service providers.
Nader Mherabi, senior vice president, vice dean and CIO of NYU Langone Medical Center in New York, agrees. “As healthcare services move online and patients become more directly engaged in their care processes, security and safety issues loom ever larger. At the same time, the proliferation among our faculty, staff and students of sophisticated devices such as smartphones and laptops, and the necessarily collaborative practices of our research and educational missions pose additional challenges.”
Mike Fleck, CEO of CipherPoint Software, Inc., Denver, notes, “There is pressure to make more information available to patients. But anytime you have a new way of doing business, you’re going to increase the risk of exposure.”
There may also be a generation gap that can put personal data at risk, says McMillan. The younger generation, which uses social media outlets like Facebook and Twitter, tends to view privacy differently than the older generations that fashioned the current privacy laws. “Because they share everything about themselves and share information liberally with others, they don’t perceive a personal ownership of information,” he says.
Cottage Health System in Santa Barbara, Calif. reported in early December that a third-party vendor appeared to have removed electronic security protections from one of its servers without informing Cottage, resulting in the exposure of patient information stored on a server. The information that may have been compromised involved patients treated at Goleta Valley Cottage Hospital, Santa Ynez Valley Cottage Hospital, and Santa Barbara Cottage Hospital, between September 29, 2009 and December 2, 2013.
While no one from Cottage Health agreed to be interviewed for this article, a press release dated December 11 says the file contained information on approximately 32,500 patients including “the name, address, date of birth, and very limited protected health information for some patients related to diagnosis, lab results, and procedures performed. The file did not include any Social Security numbers, driver’s license numbers, health insurance numbers, bank account numbers or any other financial information.” Cottage Health removed the server from service; conducted a review of all other servers; began an audit of its security protocols; and mailed letters to each of the affected patients.
Steve Fellows, executive vice president, COO and chief compliance officer at Cottage Health, states in the press release, “We deeply regret this incident. Cottage takes its obligation to protect health information very seriously and is taking aggressive steps to safeguard against this type of incident in the future.”
Another recent breach occurred at AHMC Healthcare Inc., a six-hospital system in Alhambra, Calif. In this case, two laptops were stolen from a secure office on October 12, 2013. The laptops contained information on approximately 729,000 patients—one of the largest HIPAA privacy breaches on record.
Again, officials at AHMC declined to be interviewed. But a press release dated October 21 says the laptops contained data on patients treated at Garfield Medical Center, Monterey Park Hospital, Greater El Monte Community Hospital, Whittier Hospital Medical Center, San Gabriel Valley Medical Center and Anaheim Regional Medical Center.