back button PNG

Special E-Mail Bulletin
March 2003
Computer Security and HIPAA

Special E-Mail Bulletin

Hello, everyone.

As "HIPAA Day" approaches (April 14th) we should all be checking and rechecking our preparations to deal with the privacy regulations.

At the same time we should be planning and implementing the electronic (computer) security regulations in effect as of April 2005, but which absolutely go hand-in-hand with the privacy regs. You should not be waiting to put your computer security plans into action. Get started now.

Here's an interesting story that makes this point. It's from the March 24 issue of AMNews.

Gil Weber

Computer hackers access 7,000 patient files

The break-in at the Indiana University School of Medicine should serve as a wake-up call to adequately protect patient information against possible identity theft.

By Tyler Chin, AMNews staff. March 24/31, 2003. Additional information

Are medical files such a compelling read that hackers would want to target your computers?

That's the question raised by a computer break-in at Indiana University School of Medicine in Indianapolis.

On Feb. 28, the school announced that hackers had gained unauthorized access to one computer at the university's Center for Sleep Disorders that had the names, addresses, Social Security numbers and dates of birth of about 7,000 patients.

The hackers did not have access to patients' medical records, but had access to why patients were being seen at the center, said Mary Hardin, a spokeswoman for the medical school.

In a letter dated Feb. 12, the university told patients it had no way of knowing whether the hackers had downloaded, printed or misused their data to steal their identities. As a precaution, it asked them to carefully review their credit card and financial statements. As of March 6, Indiana University had not received any reports of identity theft, Hardin said.

Identity theft is the motivatation for some hackers.

The break-in, and the fact that health information wasn't touched, raises the question of what computer hackers are really after -- medical records or personal information. Some health care information security experts believe the latter is more likely, because those data are more valuable than data in medical records.

"Say a hacker finds out I have trouble sleeping at night. So what? What will they do with that information? There's no market for it," said Tom Walsh, senior consultant with the e-security practice of CTG Health Care Solutions, Cincinnati.

While the information in a medical record has little or no value, a Social Security number and other personal information have "real value" because they can be used to steal someone's identity, access bank accounts and get credit cards under that person's name, Walsh said. Identity theft is a growing problem in the United States, creating serious financial and nonfinancial hardship for victims.

What's motivating hackers?

Hackers constantly attempt to break into the computers of entities in every industry, but physicians and hospitals are particularly vulnerable due to a historical tendency to invest less in information technology than other industries invest. And little of that money has gone into information technology security, Walsh said.

Universities and academic medical centers are also "easy pickings" because they have a culture of openness and information sharing, he said.

While identity theft motivates some hackers' actions, most try to break into the computer systems of medical and nonmedical entities for sport rather than to specifically access or grab information in those systems, Walsh said.

The ability of computers within a system to share information makes them attractive to hackers.

Some hackers may not even view whatever information is stored on a computer system after they crack it open, said Kate Borten, president of The Marblehead (Mass.) Group, a privacy and security consulting firm. Instead, they may simply use the network as a launching pad to attack other networks or for some other malicious purpose, she said.

Whatever the hackers' motives, doctors and others have no choice but to take steps to protect the privacy and security of their patients' health information, she said. That's because protecting patient privacy is an essential business practice, it's required by HIPAA and it's a way to minimize exposure to privacy lawsuits.

HIPAA's privacy and security rules take effect on April 14, 2003, and in April 2005 respectively. Violators face stiff fines. But as stiff as the fines are, lawsuits from patients pose a bigger threat to doctors and other health professionals than the U.S. Dept. of Health and Human Services does, Borten said.

"Those of us in [information] security have always said that the biggest concern is a private lawsuit or class-action lawsuit," Borten said. The lawsuits are "really to be feared, because people don't have to wait for [HIPAA] to become effective to sue."

Return to top