E-News Exclusive

Healthcare Information Security Breaches
By Mary Anne Gates

Stolen or misused computers are a big headache for medical facilities and the individuals they serve. Sensitive data may suddenly be in the hands of thieves. Medical, financial, and other personal information can be at great risk for misuse and abuse.

Stolen and Misused Computers
Recently, two laptop computers were stolen from an outpatient area at Eisenhower Medical Center in Rancho Mirage, Calif., according to Elizabeth Wholihan, director of marketing and public relations. She says there was no personal health information on the computers and no content that would require sending notifications to patients.

According to Wholihan, police recovered the laptops on March 10, a few days after they had been stolen. However, she told the Desert Sun that a computer stolen from Eisenhower Medical Center on March 11 contained personal information on 514,330 patients dating back to the 1980s.

The medical center is not alone in its computer woes. In February, Jean Williams of Roanoke, Ind., learned personal information, including her credit card number, may have been compromised by an Arizona cord blood registry facility that freezes and stores umbilical cord blood for later use. According to Williams, some time prior to February, one of the facilities’ laptops was found in the backseat of an employee’s car.

“My first thought was why was anyone taking that information outside the building? I was very concerned because I have reoccurring automatic payments for two of my granddaughters’ accounts. I was really upset they weren’t more careful with my information,” Williams says.

Ensuring Data Security: Maybe, Maybe Not
According to Wholihan, ensuring the complete security of healthcare information may be an impossible task due to the naturally open access of a healthcare facility and the sheer number of people who come and go every day.

“We have a 130-acre campus with numerous buildings and a daily population of 3,000 to 5,000. We have a security force of 35 people, and we have a network of 350 closed-circuit TV security cameras on campus. But we are a healthcare facility with open access to the public and numerous patients coming and going. While our security measures no doubt prevent many thefts, it is not possible to prevent them all,” she says.

Besides physical and video surveillance, many healthcare facilities protect their computers and block access to sensitive information with specially designed software.

“They [medical facilities] should comply with state-of-the-art security and privacy protections. They should, at a bare minimum, comply with HIPAA security requirements,” says Deborah C. Peel, MD, founder of Patients Privacy Rights, a Texas-based watchdog organization.

“Whenever an unprotected laptop is missing, lost, or stolen, there’s a good chance that a data breach will occur,” says Stephen Midgley, vice president of marketing for Absolute Software, which specializes in software and services that help with managing and securing computers. “Our Computrace Persistence technology provides the IT department at Eisenhower Medical Center full visibility into all of the computers in their deployment.

“The ability to use our software to track and manage laptops on a day-to-day basis ensures that when a device is stolen, action can be quickly taken to prevent a potential data breach or loss of sensitive data,” he continues. “Once Eisenhower Medical Center reported this theft, our theft recovery team immediately stepped in, working in conjunction with local law enforcement to recover Eisenhower Medical Center’s stolen devices. The average recovery period is 45 days, but as you can imagine, every recovery is different.”

Healthcare Data Security Technology
Computrace Persistence technology, introduced in 2005, includes data and device security capabilities that block access to an electronic device and remove sensitive data before they can be breached. Depending on the situation, customers can remotely delete sensitive data and produce an audit log of the deleted files to prove compliance with healthcare privacy regulations, says Midgley. 

“Device Freeze and Intel AT Lock will freeze the computer and display a message to the user to validate the status of the device before access is reinstated. Remote file retrieval is also possible for those instances where the computer contains unique information that will be difficult to replace,” he says.

Identity Theft Protection—and More
In connection with the possible breach of confidential information, Williams says the Arizona facility is providing her one year of identity theft protection. So far, she says, no breach of her information has been detected. However, according to Peel, in many cases this is not enough.

Patients affected by data security breaches deserve far more than simply credit monitoring for identity theft, which does not address all the potential damages. They are also subject to medical identity theft, which can cost about $20,000 to deal with, take up to two years to discover, and cost patients in other ways, such as the loss of insurance coverage, increased health insurance premiums, and errors in their EMRs that are not easily corrected and can endanger their lives. Victims of a security breach should demand a breach remediation company that can monitor their insurance claims and prevent fraudulent claims from being filed in addition to credit monitoring, says Peel.

Telling Clients the Bad News
Ultimately, when sensitive information falls into the wrong hands, Williams wants to know about it right away. “You better know about it immediately when it occurs. If I don’t know about it, I cannot protect myself adequately,” she says.

“Patients must demand that lawmakers require the use of privacy technologies for all electronic health systems and data exchanges—they are called robust electronic consent and data segmentation tools—to enable patients to control routine uses of all their sensitive health records. Today’s systems allow thousands to decide when and for what purpose they can use our health records,” says Peel.

Requiring Visitor Identification
In a few recent reports, it appears that due to security issues, some medical facilities are requiring anyone entering the facility to provide identification, usually a driver’s license.

“It’s actually a terrible idea,” says Peel. “It’s a very cheap and ineffective way to try and solve the problems created by poorly designed health IT systems where patients cannot control their sensitive health records in the same way we always controlled our paper medical records: with consent. Today’s ancient and badly designed electronic health systems actually violate our longstanding rights to health privacy and to control who can see and use our sensitive data. They want us to turn over more sensitive data, which they do not have the ability to keep private, subjecting us to greater risks of ID theft, medical identity theft by impersonating us to get treatment with our insurance. The loss of the privacy cannot be fixed.”

— Mary Anne Gates is a medical writer based in the Chicago area.