HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/SECURE: Security Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/SECURE: Security Q/A
January 2004

"Security Awareness for the CXO: Real Life Stories of Real Life Risk"

by William Miaoulis, CISA, Principal, Phoenix Health Systems

In speaking with information security officers over the last 15 years, one issue about their security programs that frequently comes up is:

"If I could just convince my CEO/CFO/CIO that the security risks are real, they would give me the resources to implement the security safeguards that are necessary."

Published in February 2003, the long-awaited HIPAA Security regulations provide much-needed support to Information Security Officers' (ISOs) goals to implement security controls.

Inevitably, the question most corporate officers (CXOs) want answered is, "What are the actual security risks to my organization -– and which are the highest priority?" One way an ISO can answer this question is to provide information about real-life healthcare security breaches. Sources for these breaches are numerous, including past HIPAAlerts, HIPAAdvisory.com, HIPAAPrivacy.org, and your local and national media. When presenting this information to your CXO, you should be prepared to indicate the likelihood of these types of events happening at your organization, and the controls necessary to minimize the specific risks.

Let's consider a few examples:

Example #1: Celebrities, at My Hospital? Never Happens!

Many CXOs believe that celebrities do not come to small-town hospitals. What is important to remember is that someone's records may become very important or newsworthy after their visit to your facility. Case in point -- the recent Kobe Bryant allegations in Colorado:

"Following the rape accusations against basketball player Kobe Bryant, the alleged victim's medical records were subpoenaed by Bryant's defense lawyers from a Colorado hospital. After a hospital employee released the records to a judge, attorneys for the hospital asked the judge to throw out the subpoenas and destroy the records already received by him, citing state and federal medical privacy laws.... However, a number of news stories have published sensitive medical information that reporters allege came from hospital employees." (M. Miller, "Issues of Privacy in Bryant Case," Los Angeles Times, September 8, 2003)

How could this development have been avoided?

Some of the controls that could be implemented to minimize such a risk include better training, audit trails of computer access, security incident procedures and creating procedures for physical controls over these type records.

Example #2: One Man's Trash is Another Man's Treasure

How are you disposing of your computers and other electronic media that contains or contained electronic protected health information (ePHI)? Is the information systematically removed to ensure that information is not given to others? What is the likelihood that the following stories could be repeated about your organization?

  • "Two graduate students at the Massachusetts Institute of Technology (MIT) found more than 5,000 credit card numbers, medical reports, and detailed personal and corporate financial information on over 100 computer hard drives they bought for less than $1,000. Their findings, titled "Remembrance of Data Passed: A Study of Disk Sanitation," are being published in the January/February 2003 issue of IEEE Security and Privacy, a journal published by the IEEE Computer Society." (HIPAAlert, January 21, 2003)
  • "A Kentucky state computer that was put up for sale for $25 contained files naming thousands of people with AIDS and other sexually transmitted diseases. The state auditor's office purchased the computer and, upon taking it back to the office for testing, discovered the confidential information. The auditor's office issued an alert that all surplus computers must be wiped clean with special software." (C. Wolfe, "Discarded Computer had Confidential Medical Information," Associated Press, February 6, 2003)
Example #3: Insiders Who Abuse the System

Does your organization have controls to limit access to patient information? Does this include audit trail review, training, enforcement and sanctions? How well does your organization protect the confidential information of your employees and patient records?

  • "A patient at Brigham and Women's Hospital in Boston learned that employees had accessed her medical record more than 200 times." (R. Mishra, "Confidential Medical Records Are Not Always Private," The Boston Globe, August 1, 2000, p. D1)
  • "In Georgia, a nurse claims that her immediate supervisor accessed her medical records without permission. The supervisor, Dr. Thomas Boyer of the Emory School of Medicine, accessed her electronic medical records by posing as her treating physician. He claims that he did so out of concern that she had contracted an illness on the job." (B. Schmitt, "Suit Alleges University Tapped into Nurse's Medical Records," Fulton County Daily Report, October 26, 1999)
Example #4: Spyware – Not Just the Subject of Novels

Are your computers susceptible to someone loading software onto your computer by installing a probe on your computers? What have you done to prevent spyware from being loaded on your machines?

"An automated probe slipped into a computer at Indiana University's Center for Sleep Disorders in late November, possibly compromising thousands of patients' personal information. The break-in was discovered January 3 and letters were sent on February 12 to 7,000 patients who have attended the sleep center in the past 14 years. It took six weeks for the university to send the letters to patients because some older records did not contain up-to-date address information." (HIPAAlert, March 12, 2003)

Example #5: Have SSN, Will Travel

Is identity theft a risk at your organization? What have you done to eliminate, or at least reduce, the internal use of Social Security numbers (SSNs) as a primary ID at your organization? Are discarded patient identification plates destroyed properly? Have you limited information to the minimum necessary and can you ensure that access is limited to only those who require it?

"A hospital clerk at Jackson Memorial Hospital in Miami, Florida, stole the Social Security numbers of sixteen patients named Theresa when they registered at the hospital. The hospital clerk then provided the Social Security numbers and medical record information to a friend, also named Theresa, who opened up over 200 bank and credit card accounts and bought six new cars." (D. Sherman, Stealing From The Sick, NBC6.net, May 21, 2002)

Example #6: Knock, Knock, Who's There?

Are your computers in a secure location as required by HIPAA? Are they subject to theft? Is your computer room easily accessible to theft? Is it controlled by locks? Is it secure after-hours? What controls could you implement to protect your most important computers?

"Thieves broke into TriWest Healthcare Alliance in Phoenix, Arizona, and stole computers that contained medical and Social Security records of over 500,000 retired and current military personnel. TriWest is a contractor that stores information for the Department of Defense. The FBI and other law enforcement agencies are investigating the security breach, and TriWest has offered a reward of $100,000 for information leading to an arrest. It is unknown if any of the personal information obtained in the theft has been misused." (A. Clymer, "Threats and Responses: Privacy," The New York Times, January 11, 2003)

Example #7: You've Got Mail. Lots and Lots of Really Bad Mail

Many organizations and CXOs understand the importance of viruses and worms. However, it never hurts to remind them of controls implemented by the IT Department to prevent something "bad" from occurring at your organization. This awareness shows the CXO that security spending provides legitimate value.

"A new Windows mass-mailing virus, which disguises itself as a file sent by a computer user's network administrator, began infecting systems on Friday and quickly rose to the top of the virus charts last week. The worm attempts to exploit a vulnerability in Internet Explorer that allows a script to be executed by an infected computer. The worm then tries to use that script to mass email itself, potentially clogging mail servers or slowing down networks, according to antivirus company Symantec." (HIPAAlert, August 2003)

Relaying real events to your CXOs is an invaluable technique for ensuring and reinforcing their awareness of today's information security climate. As you design your security program, select appropriate reports such as those above -– and when presenting this information, consider providing a brief, one-paragraph narrative (written by the ISO) that outlines the risks and the probability of the event happening at your organization. Finally, ask yourself every time you read about a new information security breach: "Could this happen here and what should we be doing to prevent this?"

Read past HIPAA Secure Q/A articles.

Bill Miaoulis, CISA, Principal, is a senior Phoenix project leader responsible for management of enterprise security projects and other HIPAA education, assessment, planning, and remediation engagements.

Go to TOP