Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Health System’s Security Error Puts PHI On Google

A Santa Barbara, Calif. hospital system may have exposed the protected health information of almost 33,000 individuals to the public via Google over the last two months, according to a story in Healthcare IT News.

Three- hospital Cottage Health System recently notified 32,755 of its patients that their personal health information may have been made available on Google due to a lack of security coordination between the system and one of its vendors.

According to a letter CHS mailed to patients, IT services and solutions vendor inSync removed electronic security protections for one of its services, an action of which the health system was not aware.

When the security protections were removed, it resulted in the exposure of a file on the server containing PHI. This PHI was left unsecured and exposed to the public for nearly two months, Healthcare IT News said.

The breach exposed patient names, dates of birth, medical diagnoses, lab results and procedures, medical record numbers, account numbers and addresses, though no financial data was made public.

CHS, which has asked all to remove the file from its systems, has issued a letter assuring patients that it had taken steps to prevent such a thing from happening again. In the letter, CHS chief operating office Steven Fellow said that the health system is reviewing service relationships with third-party vendors and tightening up its security routine, Healthcare IT News reports.

As serious as PHI exposure is, this privacy breach is a drop in the bucket statistically. Since 2009, when HIPAA privacy and security breach notification rules went into effect, HIPAA-covered entities have reported breaches affecting some 27 million individuals. This includes some institutions — such as the University of Rochester Medical Center — which have had to report multiple security breaches.

December 16, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Hospitals Stepping Up Security Risk Analysis, While Practices Lag

As hospitals have implemented EMRs, they’ve created a tempting target for criminal hackers, as the goldmine of patient data they house can be very valuable on the black market.  At the same time, patient access to health data has expanded dramatically, expanding possible points of failure.

Aware of these issues, hospitals are almost all conducting an annual security risk analysis, but fewer medical practices are on the bandwagon, according to new research by HIMSS.

Since 2008, HIMSS has conducted an annual security survey of healthcare providers, supported by the Medical Group Management Association and underwritten by Experian Data Breach Resolution. That first year, three-quarters of respondents (largely hospitals) said their organization had conducted an annual risk analysis.

For 2012, a total of 303 individuals completed the HIMSS survey, a self-selected Web-based survey. Those responding had to answer qualifying questions which verified that they were involved directly in working with security at their organization.

This year, a full 90 percent of hospitals reported conducting an annual risk analysis, while just 65 percent of physician practices said that they do so. (I’m actually surprised that so many physician groups are doing any kind of audit, but maybe the respondents came from larger practices.)

What’s really interesting, though, isn’t the mere fact that these organizations are taking their medicine and doing their risk surveys.  Some other highlights of the study:

* Twenty-two percent of respondent reported a security breach in the last year: While scary to contemplate, it’s nonetheless true that both hospitals and medical practices had a one-in-five chance of being breached this year. Most breaches affected less than 500 patients, but providers can’t count on that being the rule.

* Less than half of the hospitals and doctors had tested their data breach response plan:  Auditing your security arrangements is all well and good, but if you’re not sure your data breach plan will actually help you respond to breaches, it’s not worth the (digital) paper it’s written on.

As the pressure mounts to protect EMR data — across patient portals, mobile devices, laptops, desktops and more — let’s hope that physicians catch up with hospitals when it comes to security.  Otherwise, I think 2013 may be remembered as the year big ‘n ugly physician practice break-ins dominated the news.

December 14, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.