Computer Security Holes Can Cost You

Physician's Money Digest, Spring 2013, Volume 15, Issue 1

Anyone spending time in the medical field has at least one horror story to tell about computer security. Many physicians do not take warnings about keeping data secure seriously and undermine efforts to keep private medical information, private.

Last year, Avi D. Rubin, PhD, professor of Computer Science and Technical Director of the Information Security Institute at Johns Hopkins University, told The Washington Post that medicine has more security holes than any other industry. He suggested if the financial sector had the same disregard for security, he would put his cash under mattresses.

“Doctors should be aware that although they may feel computer security isn’t as important as saving lives, a little effort on their part can go a long way toward protecting the privacy of their patients,” Rubin says. “This should be considered as much a part of patient care as other things they do.”

HIPAA and HITECH place special importance on computer-related security and violation penalties run to $50,000, capped at a total of $1.5 million. Each complaint must be formally investigated if preliminary reviews suggest even a possible violation.

However, the cost of penalties is only the first reason that physicians need to take this issue more seriously.

“Physicians are all about what is best for our patients and breaching their privacy doesn’t reach that standard,” said Glen Stream, MD, MBI, board chair for the American Academy of Family Physicians. “Unlike making someone whole after identity theft, if confidential information is disclosed, you can’t ever give back a patient’s privacy.”

HHS Reporting and Patient Loss Concerns

Under the recently released final rules, security breaches are presumed to be reportable to the Secretary of Health and Human Services (HHS) unless a risk analysis of four specific factors determines a “low probability” of compromise. This information is placed on what is becoming unofficially known as HHS’s “Wall of Shame.”

In addition, every individual has to be contacted and offered identity theft protection. The media must be notified as well.

“The response is not just a matter of notifying the patients,” noted Alan E. Brill, Senior Managing Director at Kroll Advisory Solutions in Secaucus, N.J. “You will need to bring in forensic computer specialists to see which records were accessed and how long the bad guys had been rummaging around your computer. It is likely that legal help will be needed since notification laws differ in every state.”

It is strongly suggested that practices get legal advice on the changes brought about by the final rules. Updating policies and procedures may prove important in defending against some of the ramifications of a breach. Compliance will be required by Sept. 23, 2013.

Patients Leave “in Droves”

The average cost per record for health care data breaches in 2011 was $240, which was 24 percent higher than average. Health care data breaches are the fourth highest by industry, according to a study by the Ponemon Institute LLC.

“The biggest impact on those who don’t take security seriously may be your patients leaving in droves,” said Harry B. Rhodes, MBA, director of HIM Solutions in Chicago. “Studies I have done indicate 69 percent of the cost of stolen data is due to lost business. This is the highest customer turnover rate directly attributable to breaches of any industry.”

Many adverse outcomes are avoidable if physicians understand the risks and take easy steps to protect themselves, their patients and their practice.

“People think hackers from Eastern Europe or China are the biggest concern in computer security,” Rhodes said. “Only between 5 percent and 10 percent of data breaches are related to this kind of unauthorized entry. Most of the time, it is something as pedestrian as having a laptop or smartphone lost or stolen.”

Loss/Theft Big Issue

Figures from security vendor Symantec indicate that 525,000 laptops a year are stolen. A study from HHS found 24 percent of all major breaches (consisting of more than 500 records) involved portable devices.

Physical security is an easy way physicians can lessen the chances their computers and patient information will be stolen.

Among the suggestions for securing mobile devices are:

  • Never leave laptops unguarded in hotel rooms.
  • Carry portable devices in unobtrusive bags.
  • Never leave a laptop bag in plain view in your car.
  • Be especially careful and observant at an airport, which is one of the most common theft locations.

“These also are important considerations in professional settings,” Rhodes said. “Computers left on a desk have been stolen from offices, doctor’s lounges and hospital floors.”

Password Strength

Using passwords to gain access to data stops all but the most serious thieves. However, many physicians don’t like them and use weak passwords that can easily be guessed or write them down nearby.

Good passwords don’t use actual words because there are programs available that go through a dictionary until successful. Stay away from something that might be guessed from social networks or other indicators.

“I was on a cruise talking with people I met during the trip. I saw one guy all decked out in Alabama football gear,” Brill said. “I successfully guessed his computer password was ‘Go Tide’.”

Other bad passwords include names of pets or children, sequential or repeated numbers and letters, or words such as “letmein.” According to password manager SplashData, “password” was the one most often hacked in 2012.

The number of passwords a person needs leads to a form of alert fatigue. A 2012 study by Harris Interactive found 59% of adults have five or more unique passwords associated with their online logins, and 30% have more than 10 different passwords to remember.

“The average thief won’t have the expertise or time to beat good passwords,” Rhodes said. “Simple but robust passwords will help keep your data safe from all but the most determined thieves.”

Here's how to make passwords harder to hack yet easier to remember:

  • Use at least 12 keystrokes.
  • Use upper- and lowercase letters, spaces, underscores and symbols like @ and %.
  • Base your passwords on foods you like, TV shows or first letters of song lyrics.
  • Don’t write passwords down.

“Doctors rely on accountants to do our taxes and lawyers to keep us out legal trouble and we need to acknowledge similar professional stature to the people who are advising us on computer security,” Stream said. “Physicians sometimes don’t follow security suggestions because they don’t understand. How is that different from patients telling us they won’t follow our treatment recommendations even though we have given the best medical advice?”