Halloween Scary Security Stories – Healthcare Security Risks

David Ting
Feb 03, 2012

This week, I took part in Network World’s annual real-life scary security stories podcast, a panel hosted by Keith Shaw that looks at some of the most frightful security incidents over the past year. This year, I focused on some of the data security incidents that are becoming all too common in the healthcare industry.

It seems like we read about a new healthcare related data breach every other week – whether its celebrity records being exposed, or a case like the Virginia Department of Health exposing more than 8 million patient records. For security officers and CIOs in healthcare, a bigger scare is found in the new fines imposed by states like California, where organizations are fined up to $250,000 for each data breach incident.

These incidents, and the harsh penalties being enacted, have forced the healthcare industry to take a closer look at their security practices. Most organizations understand the need for strong authentication – using technologies such as biometric fingerprints to ensure that only the properly credentialed can access sensitive data. While this prevents the wrong people from accessing your systems, it doesn’t address the growing concern of unintentional data breaches caused through inadvertent access.

Inadvertent access occurs when someone is authenticated into a system, but accidentally leaves the access open on the workstation they’re using. Here’s one story I shared with Keith:

A customer I spoke with had a small clinical practice with 3 examination rooms – each containing a computer. As the nurse walks in, she securely authenticates into the workstation to log patient data. When she’s finished, she locks the stations and goes to get the doctor. As the doctor comes in to see the patient, he re-authenticates into the system and adds in his patient notes and diagnosis, then leaves to check on another patient – leaving the system unlocked. The patient now has access to his medical records and can see all the notes the doctor wrote – while having the ability to access other records in the system.

In the instance above, the healthcare organization was sued by the patient who actually looked at his own record and didn’t like the information the doctor wrote about them.

Scary stuff – despite properly authenticating users, unintentionally leaving the system open created a security hole that circumvented these controls. I’ve blogged about the importance of walk away security in the past, which can close the other side of the security gate and prevent unintentional access from occurring.

Have a scary security story to share? Email me and let me know.