Future Tense

Study: Some Hospitals Lack Even Basic Data Protection for Patient Records

163751742

scanrail/iStock

Hospitals, doctor’s offices, and other care facilities could be doing a better job of protecting medical records, according to a new study that looked at U.S. health care providers’ cybersecurity.

The Healthcare Information and Management Systems Society conducted a survey of 119 acute care facilities (hospitals and health care systems), and 31 non-acute care providers (doctor’s offices, mental health facilities, and outpatient care), to determine how providers were protecting medical records.

Chief among the findings were that 32 percent of acute care facilities, and 52 percent non-acute providers, do not encrypt data in transit. And 39 percent of acute-care facilities and 52 percent of non-acute facilities don’t encrypt data at rest.

Encryption, as Danielle Kehl helpfully explained in Slate, is the process of protecting “the security and integrity of data as it is transmitted or stored on devices.” She wrote:

Encryption is the process of combining the contents of a message (“plaintext”) with a secret password (the encryption “key”) in such a way that scrambles the content into a totally new form (“ciphertext”) that is unintelligible to unauthorized users. Only someone with the correct key can decrypt the information and convert it back into plaintext. Encrypting data doesn’t stop someone who is not the intended recipient of a message from intercepting it—but it helps ensure that he won’t be able to decipher it if he does. Herewith is a basic explanation of where encryption stands today—and how you can use it protect yourself and your communications.

Without encryption, data is vulnerable to a number of online schemes. For data in transit—that is, records that are being sent within or to a system—the lack of encryption can leave data “susceptible to being breached by eavesdropping, packet sniffing, or other means,” the study warned. (A packet sniffer is a computer program that allows the user to log and analyze a network’s traffic, including usernames and passwords.)

Furthermore, the study says, unencrypted stored data is susceptible to a breach. “If a computer, laptop, thumb drive, or backup were to be stolen, any person would be able to access such information,” the authors warned.

Another surprising finding was the fact that not all providers are using firewalls, one of the most basic protections available, to guard their networks. Only 78 percent of acute-care providers and 90 percent non-acute facilities have firewalls in place, the study found. It says: “Firewalls monitor and filter network traffic—not having firewalls may leave an organization susceptible to compromise. Simply put, firewalls are a basic component of network security.”

Across the board, the providers surveyed ranked ransomware cyberattacks as their top “future threat.” This isn’t a surprise considering several hospitals have recently become victims of this approach, in which hackers take over hospital systems and demand the hospital to regain access. As Josephine Wolff wrote in Slate back in February, Hollywood Presbyterian Medical Center’s network was infected by a “ransomware program that shut down the entire hospital’s computer systems for more than a week until the hospital finally agreed to pay its attackers 40 bitcoins,” which was worth about $17,000 at the time.