Audit finds hospital EMRs vulnerable to data breaches

The inspector general exposes 151 problems with health information technology systems at seven hospitals.

By Charles Fiegl — Posted May 26, 2011

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Efforts to launch electronic medical records in hospitals have proceeded without ensuring that proper data safeguards are in place, according to two reports from the Dept. of Health and Human Services Office of Inspector General.

An audit uncovered 151 vulnerabilities in health information technology systems at seven hospitals between October 2008 and March 2010. This left patient information exposed to anyone who might have gained unauthorized access to internal networks, according to a May report.

"These vulnerabilities placed the confidentiality, integrity and availability of [electronic patient health information] at risk," the OIG report said. "Outsiders or employees at some hospitals could have accessed -- and at one hospital did access -- systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge."

The majority of vulnerabilities were technical problems related to wireless communications and other computer security issues. For instance, four hospitals used wired equivalent privacy encryption to secure data at access points. This encryption method uses a flawed algorithm that could allow a computer hacker to break into the wireless system, the report states.

Three hospitals did not include firewalls to protect wireless and land networks from data breaches. An unauthorized user could have gained unlimited access to a hospital's entire network, the OIG said. Other problems included a lack of password protection for computers on portable carts and a failure to track computer equipment that might contain patient information.

The HHS Office for Civil Rights, which conducts compliance reviews, reviewed a draft copy of the report. "As a general comment, we caution against drawing conclusions about the state of compliance of all covered entities based on the small sample of narrowly focused audits performed in the review of CMS oversight," wrote Georgina Verdugo, director of OCR, in a memo.

A separate OIG report also released in May criticized the HHS Office of the National Coordinator for Health Information Technology. The office, which is charged with setting standards for EMR systems, did not establish certain general security controls, the report said. Such security controls would include encrypting data on portable storage devices and requiring two-factor authentication passwords for remote access.

The OIG recommended the coordinator's office use its leadership role to provide guidance on health information technology security. The office agreed with the recommendation.

Better enforcement of Health Insurance Portability and Accountability Act regulations that require facilities and professionals to secure and protect patient health information would improve current practices, said Lisa Gallagher, senior director for privacy and security at the Health Information and Management Systems Society.

"Health care organizations often cite the perceived lack of enforcement of the HIPAA security rule as a primary reason for lack of focus and resources for this area," Gallagher said. "With a visible increase in enforcement of HIPAA security, coupled with the publication of audit requirements or guidelines, health care organizations would have greater leverage for increased funding and enhanced security management efforts."

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn