No matter how careful you are with patient data, there’s always a way for it to slip out the door or be accessed illegitimately. That’s why a Pennsylvania-based hospital has been forced this to notify almost 2,000 patients that an employee had committed a HIPAA breach.
The 551-bed Penn State Milton S. Hershey hospital learned, after conducting an internal investigation, that an employee accessed and transmitted protected health data outside of the hospital’s secure information network. The hospital was forced to inform 1,801 patients that their names, medical record numbers, lab tests and results and visit dates could conceivably have been accessed by unauthorized persons or entities due to an employee mistake.
The HIPAA breach was due to a mistake by a Penn State Hershey clinical laboratory technician, who was authorized to work with PHI but did so insecurely. The lab tech accessed patient data via an insecure USB devices through his home network rather than the hospital network, as well as sending patient data via his personal email address to two hospital physicians.
To date, Penn State Hershey has had a respectable track record for security. As HealthcareITNews notes, this is the first large HIPAA breach the facility has reported to HHS.
But there’s clearly an education gap here if an otherwise well-behaved lab tech didn’t know that he be compromising data if he accessed and sent it this way.
To prevent breaches like this from becoming common, hospitals need to keep up an ongoing education program which continually re-emphasizes the dangers of outside-network communication, unencrypted communications, data storage on easily stolen laptops and phones and more. But few hospitals offer the level of education required to fend off everyday accidents like this one.
But education isn’t the only security challenge facing hospital IT departments. There’s also an issue that remains in hospital security which, as we discuss HIPAA breaches, is worth a quick note. While it’s critical to educate staffers on what they can do to avoid HIPAA breaches, health IT departments themselves may need a refresher from time to time, notes my colleague John Lynn.
John notes that while hospital IT staffers may have strong antivirus software protecting their facility, their malware protections are often weak, as software that locks staff computers down too much often makes users angry.
As he sees it, the next wave of security breaches may not be due to human error (or malicious content) but unseen malware quietly feeding data to health data thieves. Not only that, he expects to see personal mobile phones get compromised and infect the hospital network. All scary stuff.
