Major breaches of patient information in 2009 break down into three types: snoopers, hackers, and those involving large quantities of data.
So let's examine the top breaches from the past year and find out what facilities can do to prevent similar problems.
California cracks down on celebrity privacy breach
In May, state regulators in California slapped a large penalty on Kaiser Permanente's Bellflower Hospital in Bellflower, CA. Regulators found that the hospital failed to prevent employees from snooping into the medical records of the so-called Octomom, Nadya Suleman, who give birth to octuplets in January 2009. The hospital failed to report the inappropriate access, which is considered a security breach.
High-profile cases where hospital employees leaked details of patients' medical conditions to the news media resulted in the new California law that permits the state to impose financial penalties on healthcare providers who don't protect patients' medical records. Fines run as high as $250,000.
Lessons learned: Be sure your workforce members know your policy and that you will hold them accountable, says Margret Amatayakul, RHIA, CPHS, CPHIT, CPEHR, FHIMSS, president of Margret\A Consulting in Schaumburg, IL. "Follow your sanction policies and be strict about them," she says.
Hackers demand ransom for prescription records
In June 2009, Virginia officials began mailing direct individual notifications to more than a half-million people whose Social Security numbers may have been contained in the Prescription Monitoring Program (PMP) database that was hacked by a criminal who demanded a $10 million ransom.
In the April 30 breach, an unidentified hacker left a ransom note at the PMP's Web site claiming to have more than eight million patient records and more than 35 million prescriptions. "For $10 million, I will gladly send along the password," the hacker reportedly wrote.
The Virginia Department of Health Professions, which oversees the PMP database, had to close the system after the breach. It reopened for registered users only after the Virginia Information Technology Agency and other law enforcement agencies cleared new security measures.
Lessons learned: "This is probably less frequent, but more difficult to protect against," says Amatayakul. Facilities need to address issues such as intrusion protection and having layered security, she says.
Facilities should look at hardening their firewall, which stops communications from going out, but also from coming in, says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR. They should also have an active patch management program in place as well as antivirus software and spyware, all of which providers must keep updated. And don't forget about remote users who also need to employ the same protection, he says.
Facilities should test their Web sites and ensure they encrypt sensitive information. Hackers look for wireless networks, which is a vulnerable spot if not secured properly.
However, "your most significant risk is not the hackers," Apgar says. The biggest risk of a breach is careless staff members who have not been appropriately trained, he says.