Hospital Security Programs Ailing, Study Says

Security consultant's warning: Hospitals can be dangerous to your personal information.

From 2006-2007, more than 1.5 million patients' personal information was exposed through hospitals alone, according to a study released earlier this week by research firm HIMSS Analytics and Kroll Fraud Solutions, a risk management firm. That doesn't count insurance companies, pharmaceutical companies, or individual doctors' offices.

And those are only the breaches we know about. Some 44 percent of hospitals that experienced a breach last year did not inform the patients whose records were affected, according to the study.

Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.

This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.

Yet, despite these risks, more than 13 percent of hospitals report experiencing at least one breach in the past year, according to the HIMSS report. Identity theft was three times more likely to occur at a larger facility (over 100 beds) than at a smaller facility (under 100 beds).

And the situation is not getting better, the researchers warn. Of the hospitals that admitted experiencing a breach, 62 percent identified the source as unauthorized use of information, while 32 percent said the breach occurred due to wrongful access of paper records.

"Noticeably absent were breach sources associated with malicious intent, such as stolen computers and deliberate acts by unscrupulous employees," the report states. This suggests that while hospitals are focusing their efforts on protecting patient records from curious employees or accidental compromises, they have not built sufficient controls against intentional theft or fraud, the researchers say.

Statements about hospitals' efforts to protect patient data support the researchers' conclusions. For example, many hospitals said one of their chief strategies for defending against compromises is user education -- which does little to protect against malicious intent, the researchers note.

"There is an over-reliance on employee education and disciplinary action as effective prevention and response techniques that do not address the incidence of malicious intent that is responsible for the industry's largest and most damaging breaches," the study says. The researchers call for a "paradigm shift" toward developing security defenses against malicious attacks as well as inappropriate access.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.