With provider attention focused on ransomware attacks and the havoc they can cause, other dangerous security practices are placing healthcare organizations at risk for breaches, healthcare security experts say.

While ransomware incidents are high profile and gain national attention in the business and popular press, healthcare information security officers need to pay attention to several risks that have lower profiles but carry just as much risk to patient information, they say.

For example, Kate Borten, president of the Marblehead Group consultancy, is concerned about the massive amounts of data being shared with lax security practices by healthcare organizations. Hospitals continue to acquire medical practices, along with their data, and share the data via a health information exchange.

“The wide open data sharing is a recipe for disaster,” she contends, because there is a higher potential for misuse of the data. Authorized users can take advantage of their access to all this data and go snooping, while most provider organizations don’t have technology to curb snooping.

Gathering relevant data on patients is generally beneficial, Borten believes. But at the same time, there is risk of the loss of privacy with individuals possibly never being aware that their data has been improperly exposed.

Because so much data—not just from providers, but also from insurers and employers—is made more easily available, an individual could incur an increase in insurance premiums or get denied disability benefits and never know why. Such instances could affect an individual’s job prospects because insurance premiums could be a factor in employment decisions.

Health-related data in mobile apps and email systems represent another threat to privacy, according to Borten. “I don’t have anything I don’t mind people seeing, but there are business judgments being made on the data,” she contends.

Tom Walsh, president of tw-Security, contends that data integrity is another undervalued security concern.

For example, verified information would go a long way toward stopping medical errors, he contends. However, the issue of integrity is only in two places in the HIPAA security rule.

In one of those mentions, the National Institute of Standards and Technology wrote procedures for testing data integrity only when the data is transmitted. However, there’s nothing in the rule about whether the data is accurate and reliable.

Walsh notes that Sully Sullenberger, the airline pilot that safely landed his crippled plane on the Hudson River, launched a new mission afterward to reduce medical errors. Estimates of errors killing 200,000 patients a year, Sullenberger contends, equates to 20 airliners crashing each week, which would not be acceptable in that industry, but is tolerated in healthcare. “We need to force vendors to build in software controls to prevent errors,” Walsh says.

Decision support systems in healthcare can determine a dosing error in a prescription, help create appropriate care management plans and maximize revenue, but they don’t assess data integrity, Walsh notes.

Inaccurate master patient indexes represent another data integrity threat, because patients can be registered under multiple different names such as Joe, Joseph and Joey, or many patients can have common names, and may risk having the wrong medical information associated with them.

With all those names thrown into a health information exchange database, “Who knows, when you push data out, if it’s even close to being right?” Walsh asks. Many physicians know this, he adds, so they won’t use an HIE to query for a patient’s previous test results; they’ll just order another test.

For David Holtzman, vice president of compliance strategies at security consultancy CynergisTek, biomedical devices that access one or more information networks represent an integrity threat that’s received minimal attention in the industry.

“Devices have inherent information security vulnerabilities, and organizations are not equipped to reconcile and resolve them,” he says.

The problem persists because of a lack of leadership by the Food and Drug Administration and device manufacturers, he adds. Only recently did FDA issue draft guidance for voluntary monitoring of threats and vulnerabilities already in the market. And, it isn’t clear if a forthcoming rule will require manufacturers and vendors to develop surveillance programs. For now, Holtzman says, there is no indication of that.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access