Hacking into patient medical records can be as easy as tapping into a hospital’s unsecured wireless network from a laptop in the parking lot.
Government auditors proved it “by sitting in hospital parking lots with simple laptop computers” and obtaining “patient information from unsecured hospital wireless networks,” according to Julie K. Taitsman, M.D., J.D., and colleagues from the Office of the Inspector General at the Department of Health and Human Services (HHS).
“Healthcare providers should follow best practices to ensure that computer networks are more secure,” they wrote online in a Perspective piece in the New England Journal of Medicine.
Nearly 300,000 Medicare beneficiary numbers have been compromised and are now being tracked by the Centers for Medicare and Medicaid Services, according to the article. The HHS’ Office for Civil Rights has received more than 77,000 complaints about health information breaches. The office has been able to take action in 18,000 cases stemming from 27,000 investigations, the authors said.
“As progress continues toward the development of a national infrastructure for electronic health information, security of electronic data becomes increasingly important,” they wrote.
Privacy, financial and quality standards can be quickly compromised in healthcare, and providers need to shore up security, the authors suggested.
Breaches in patient information can enable insurance fraudsters to bilk private insurers as well as Medicare and Medicaid. Taxpayer money is then drained away from services, resulting in waste and higher costs for beneficiaries, they said.
Quality of care suffers if patient information has been tainted by hackers, such as mislabeling of conditions and treatments, the authors noted. Prescriptions can be denied if pharmacy records show that a prescription was recently filled when in reality it was not.
Security measures like password protection, firewalls, antivirus software and other measures toward strong security are not to be skipped, the authors wrote. Signing in and out of various devices as a practitioner goes from room to room is essential, as are automatic logouts.
Private consultation rooms, controlled prescription pads, paper shredding, passwords, biometric identification, audit trails and erasing hard drives from rented copiers are all standards practitioners should adopt and uphold.
Personnel should be carefully vetted, including having a background check. They should be trained for “appropriate information sharing,” and when employees transition out, their electronic and physical access to records should be deactivated appropriately, according to the authors.
Secure practices should follow healthcare workers home, as well, especially when using laptops and home computers.
Con artists don’t only manipulate Medicaid and Medicare beneficiaries, the authors warned: They call practices and hospitals pretending to be “referring physicians, specialists, pharmacies, vendors, friends, relatives or insurance representatives.”
Insurers can help by keeping beneficiaries better informed, the article stated. Statements that review services or changes in service should be sent to beneficiaries regularly so fraudulent or incorrect procedures can be corrected.
For providers using mobile devices, the authors cited these recommendations from the Office of the National Coordinator for Health Information Technology:
- Use encryption, a password or other user authentication.
- Ensure wiping and/or remote disabling in case a device is stolen or lost.
- Don’t use file-sharing. Do use firewalls.
- Use security software to detect viruses, spyware, malware, and keep it current.
- Don’t download apps casually; research them.
- Don’t let your devices out of your control.
- Use security when using public Wi-Fi.
- Wipe devices clean before discarding them.
Although the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other laws that came after it required certain security standards to be met for exchange of health information, including notifying patients of any breaches in security, “Unfortunately … practice often falls short of intended statutory protections,” the authors added.
Primary source: New England Journal of Medicine
Source reference:
Taitsman, J “Protecting patient privacy and data security” NEJM 2013; DOI: 10.1056/NEJMp1215258.
The Geriatric Care Manager in NYC 