The nation’s push to computerize medical records has failed to fully address longstanding security gaps that expose patients’ most sensitive information to hackers and snoops, government investigators are warning in a new report.
Two reports released Tuesday by the inspector general of the Health and Human Services Department find that the drive to connect hospitals and doctors so they can share patient data electronically is being fused onto a system that already has glaring privacy problems. Connecting the two could open new pathways for hackers, investigators say.
The market for illicit health care information is booming. In recent years, the case of a former UCLA Medical Center worker who sold details from the files of actress Farrah Fawcett, singer Britney Spears and others to the National Enquirer gained notoriety.
Most cases don’t involve celebrities or get much attention. Yet con artists covet health care records because they contain key data such as names, birth dates and Social Security numbers that can be used to construct a false identity or send Medicare counterfeit bills.
The shortcomings in the system “need to be addressed to ensure a secure environment for health data,” said the main report, adding that the findings “raise concern” about the effectiveness of security safeguards for personal health care information.
President Obama has set a goal for every American to have a secure electronic health record by 2014. Eventually, hospitals and doctors would be able to share instantly patients’ clinical information online.
Auditors for the inspector general did find that the government agency leading the push for electronic records has put in place some requirements for safely transmitting computerized medical data.
However, that same agency has not issued general security requirements for the computer systems at hospitals and doctors’ offices, systems on which the information would be created, shared and stored. It’s a little like putting a big lock on the front door of the house, but leaving the garage door open.
The hospitals were located in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas. For security reasons, they were not identified. But the list of vulnerabilities read like a road map for hackers.
All of the hospitals had access-control vulnerabilities, including inadequate passwords, computers that did not automatically log off inactive users, and unencrypted laptops that contained patient data.
One case was decidedly low-tech: At one hospital, the lock on the back door of a room used to store radiology data was taped over. The report said that as the auditors were watching, they saw a maintenance worker walk in.