Hospitals underrate malicious intent in data breaches

Hospitals generally are well aware of what they have to do under the Health Insurance Portability and Accountability Act to ensure the security of patient data. They are also aware that their own employees might be the ones who breach that security.

However, hospitals generally underestimate the malicious intent and the financial damage involved in data breaches and are unaware they're being targeted by perpetrators wishing to commit identity theft or medical fraud.

That is the conclusion of a recent report by the Health Information and Management Systems Society. The report was based on responses to a January telephone survey from 263 hospital executives responsible for patient data.

"I think ... hospitals, they may stick their heads in the sand, and they don't want to acknowledge that people want to access people's data for personal gain," said Brian Lapidus, chief operating officer of Kroll Fraud Solutions. Kroll, which sells data protection and identity theft response solutions, commissioned the study by HIMSS.

The report did not look into breaches at physician practices. But some experts say physicians also underestimate their chances of being targeted.

Mike Spinney, spokesman for Ponemon Institute, a Traverse City, Mich.-based think tank that researches privacy and data security issues, said while breaches are commonly discovered at hospitals and large medical groups, too often physician practices adopt a mentality that they are too small to be targeted.

"If I were a data thief, would I want to try and hack into the network of a company that had the resources to invest in the state of the art security? I think it will be easier to get into that smaller practice, and I only need a handful of credit profiles to make it profitable to me. I have lowered my risk," Spinney said.

The report noted high awareness of HIPAA -- an average score of 6.53 on a 7-point self-ranking scale. It also noted that half of respondents identified employee access to unauthorized information as their primary concern regarding data security.

Of those respondents whose organization had an information breach, 80% said an employee was the perpetrator, while another 9% said a temporary or contract worker was responsible. In many cases, respondents commented that employees were "snooping" or somehow had accidentally gotten into an unauthorized file.

But the HIMSS report said the respondents showed they underestimated malicious intent to access data by how infrequently breaches associated with stolen laptops or computers, deliberate acts by unscrupulous employees, and outside hackers were a primary concern.

It also said respondents tended to react to breaches by firing or otherwise sanctioning employees, or providing employee education, or other reactive measures that didn't address the underlying security of data.

HIMSS set the cost for a breach at nearly $200 per record. But only 18% of organizations that have been breached believed there was a negative financial impact.

Medical records are considered the most valuable and content-rich data sources for fraud and profitability, the study said.

Researchers said health care facilities may be underestimating the scope of data breaches, and their cost, because many malicious acts of fraud go undetected.

"They haven't been predisposed to look for [malicious breaches]. That is a wake-up call," said Lisa A. Gallagher, senior director of privacy and security for HIMSS.

Security measures, such as encryption and password protections, in electronic systems that protect against malicious breaches are no different than security measures aimed at preventing snooping, said privacy consultant John Parmigiani. He chaired the committee that helped create the HIPAA Security Rule in 1998, and is now president of John C. Parmigiani & Associates, LLC, a privacy and management consulting firm based in Ellicott City, Md.

Beyond commonsense steps like encrypting data, using passwords and conducting regular audits, Lapidus said doctors can take these steps:

• Minimize data hoarding. Limit the amount of data downloading and copying and the storing of multiple copies of the same information.
• Maximize access management. Keep all information on a need-to-know basis. Sometimes in order to maximize information flow, physicians open up the databases to multiple people in the practice, thus placing the files at risk.
• Optimize employee education. While employees are trained to treat medical information, such as diagnosis, with secure means, they need to be coached to treat Social Security numbers and financial information in the same manner.

Experts say even though the financial impact of a malicious breach could be devastating in terms of restitution, there are indirect costs to consider as well, such as lost business due to a tarnished reputation.

"The prevention, whatever it costs, is a lot less than when the horse is already out of the barn," Parmigiani said.