Hospitals underrate malicious intent in data breaches

Experts say there are also lessons about data security for physician practices in the HIMSS study findings.

By Pamela Lewis Dolan — Posted May 26, 2008

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Hospitals generally are well aware of what they have to do under the Health Insurance Portability and Accountability Act to ensure the security of patient data. They are also aware that their own employees might be the ones who breach that security.

However, hospitals generally underestimate the malicious intent and the financial damage involved in data breaches and are unaware they're being targeted by perpetrators wishing to commit identity theft or medical fraud.

That is the conclusion of a recent report by the Health Information and Management Systems Society. The report was based on responses to a January telephone survey from 263 hospital executives responsible for patient data.

"I think ... hospitals, they may stick their heads in the sand, and they don't want to acknowledge that people want to access people's data for personal gain," said Brian Lapidus, chief operating officer of Kroll Fraud Solutions. Kroll, which sells data protection and identity theft response solutions, commissioned the study by HIMSS.

The report did not look into breaches at physician practices. But some experts say physicians also underestimate their chances of being targeted.

Mike Spinney, spokesman for Ponemon Institute, a Traverse City, Mich.-based think tank that researches privacy and data security issues, said while breaches are commonly discovered at hospitals and large medical groups, too often physician practices adopt a mentality that they are too small to be targeted.

"If I were a data thief, would I want to try and hack into the network of a company that had the resources to invest in the state of the art security? I think it will be easier to get into that smaller practice, and I only need a handful of credit profiles to make it profitable to me. I have lowered my risk," Spinney said.

The report noted high awareness of HIPAA -- an average score of 6.53 on a 7-point self-ranking scale. It also noted that half of respondents identified employee access to unauthorized information as their primary concern regarding data security.

Of those respondents whose organization had an information breach, 80% said an employee was the perpetrator, while another 9% said a temporary or contract worker was responsible. In many cases, respondents commented that employees were "snooping" or somehow had accidentally gotten into an unauthorized file.

But the HIMSS report said the respondents showed they underestimated malicious intent to access data by how infrequently breaches associated with stolen laptops or computers, deliberate acts by unscrupulous employees, and outside hackers were a primary concern.

It also said respondents tended to react to breaches by firing or otherwise sanctioning employees, or providing employee education, or other reactive measures that didn't address the underlying security of data.

HIMSS set the cost for a breach at nearly $200 per record. But only 18% of organizations that have been breached believed there was a negative financial impact.

Medical records are considered the most valuable and content-rich data sources for fraud and profitability, the study said.

Researchers said health care facilities may be underestimating the scope of data breaches, and their cost, because many malicious acts of fraud go undetected.

"They haven't been predisposed to look for [malicious breaches]. That is a wake-up call," said Lisa A. Gallagher, senior director of privacy and security for HIMSS.

Security measures, such as encryption and password protections, in electronic systems that protect against malicious breaches are no different than security measures aimed at preventing snooping, said privacy consultant John Parmigiani. He chaired the committee that helped create the HIPAA Security Rule in 1998, and is now president of John C. Parmigiani & Associates, LLC, a privacy and management consulting firm based in Ellicott City, Md.

Beyond commonsense steps like encrypting data, using passwords and conducting regular audits, Lapidus said doctors can take these steps:

  • Minimize data hoarding. Limit the amount of data downloading and copying and the storing of multiple copies of the same information.
  • Maximize access management. Keep all information on a need-to-know basis. Sometimes in order to maximize information flow, physicians open up the databases to multiple people in the practice, thus placing the files at risk.
  • Optimize employee education. While employees are trained to treat medical information, such as diagnosis, with secure means, they need to be coached to treat Social Security numbers and financial information in the same manner.

Experts say even though the financial impact of a malicious breach could be devastating in terms of restitution, there are indirect costs to consider as well, such as lost business due to a tarnished reputation.

"The prevention, whatever it costs, is a lot less than when the horse is already out of the barn," Parmigiani said.

Back to top


What was accessed?

A recent HIMMS survey found the most common types of data breached were patient name and high-level patient information such as diagnosis. The study's authors say that evidence suggests that the number, scope and size of security breaches are actually much higher than the numbers reported in the survey.

Here are percentages of respondents reporting each type data compromise:

Patient name 65%
High-level patient information 62%
Patient address 53%
In-depth patient information 47%
Social Security number 38%
Insurance information 35%
Other 9%

Note: Respondents could choose more than one answer.

Source: "2008 HIMSS Analytics Report: Security of Patient Data"

Back to top

Hospital reaction

Laws vary by state regarding when a patient needs to be notified, if at all, when a security breach has occurred. But experts say when malicious breaches occur, best practice has become notification and credit monitoring for a year. Many hospitals indicated they dealt with the issue in-house.

Here are percentages of respondents taking each type of step:

Notified patients 56%
Reprimanded or fired employee 48%
Investigated the terms of the breach 25%
Changed existing breach response plan 21%
Provided education to employees responsible 11%
Created a response plan 10%

Note: Respondents could choose more than one answer.

Source: "2008 HIMSS Analytics Report: Security of Patient Data"

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn