Hospitals underrate malicious intent in data breaches

Pamela Lewis Dolan reports in the May 26 issue of AMNews:

Hospitals generally are well aware of what they have to do under the Health Insurance Portability and Accountability Act to ensure the security of patient data. They are also aware that their own employees might be the ones who breach that security.

However, hospitals generally underestimate the malicious intent and the financial damage involved in data breaches and are unaware they’re being targeted by perpetrators wishing to commit identity theft or medical fraud.

That is the conclusion of a recent report by the Health Information and Management Systems Society. The report was based on responses to a January telephone survey from 263 hospital executives responsible for patient data.


Of those respondents whose organization had an information breach, 80% said an employee was the perpetrator, while another 9% said a temporary or contract worker was responsible. In many cases, respondents commented that employees were “snooping” or somehow had accidentally gotten into
an unauthorized file.

But the HIMSS report said the respondents showed they underestimated malicious intent to access data by how infrequently breaches associated with stolen laptops or computers, deliberate acts by unscrupulous employees, and outside hackers were a primary concern.

It also said respondents tended to react to breaches by firing or otherwise sanctioning employees, or providing employee education, or other reactive measures that didn’t address the underlying security of data.

Full story at AMNews requires subscription or membership.

Comment: this article is discussing the April 2008 HIMSS Analytics Report: Security of Patient Data [pdf].

About the author: Dissent

Comments are closed.