WSJ has a story "New Epidemic Fear: Hackers", historically healthcare organizations have taken security less seriously than their financial services peers. Due to regulation and financial loss possibilities, financial services must attempt to slouch towards something resembling medium assurance (even if banks have PINs are routinely stored in plaintext and so on); but in healthcare because there is a perceived lack of clear and present threat to the company that processes data in healthcare systems these systems can be quite vulnerable.
In May, a hacker stole more than 500,000 patient records from a state-run database that tracks drug prescriptions in Virginia -- and then demanded a ransom to return the information. The data were backed up and the state didn't pay the ransom. That same month, the University of California disclosed that a hacker broke into a database where patient records were stored for the university health service and stole about 160,000 records.
In all, health organizations publicly disclosed 97 data breaches in 2008, up from 64 in 2007, which was more than the breaches publicly reported by financial institutions, according to the nonprofit Identity Theft Resource Center. That total should jump again in 2009. California, where a new law requires health organizations to report when an unauthorized party has accessed patient data, received 823 such notifications between January and May.The incidents include lost laptops with patient data on them, misconfigured Web sites that make confidential information public, insider theft by rogue employees, and hackers who penetrate a computer network to steal data. Sometimes, the breaches never hurt the victims; in other cases, the data are used to steal someone's identity.
"Health care is a treasure trove of personally identifiable information," says Don Jackson, a researcher at security consulting company Secure Works Inc. Most health-care organizations collect patient's names, Social Security numbers and dates of birth. Often they store payment information such as insurance and credit-card data.
Criminals can use this information to open credit-card accounts in the victim's name. Among the more nefarious crimes these breaches can lead to is medical identity theft, when someone receives health-care services using the victim's name and insurance. The Federal Trade Commission says medical fraud is involved in about 5% of all identity theft.
Randy Osteen, system director for Irving, Texas, hospital chain Christus Health, says hackers try to steal data from his company "all the time." Christus has a detailed security plan in place, he notes, including tools that ensure only authorized people can access patient records.
Comments