IT Malpractice: Doc Operates on Server, Costs Hospitals $4.8M

Two hospitals recently violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules when a physician attempted to deactivate a personal computer from the hospitals’ shared network. As a result, the servers on the network, as well as the security settings, were deactivated, leading to the disclosure of patients’ electronic Protected Health Information (ePHI).1 In general, healthcare organizations are vulnerable to this type of incident because of the prevalence of partnerships with other entities, including hospitals, research institutions, physicians, insurance companies, etc. The goal of such partnerships is a shared commitment to promote healthy communities through disease prevention, treatment, and education; to meet this goal, partners collaborate by sharing ePHI and network resources. This document discusses the consequences of inadequate network security in hospitals, the lessons learned from the data breach incident, and the need for training healthcare workers to mitigate future incidents.

Consequences: The following are potential consequences of inadequate hospital network security.

Confidentiality: Disclosure of patients’ ePHI could lead to medical identity theft, which has been reported to be on the rise in recent years.2 Medical identify theft involves the use of a person’s Personally Identifiable Information (PII) to illegally obtain medical services such as treatment, prescriptions, and even health insurance. Malicious actors could also sell the victims’ information to other parties, who could use it for other malicious acts.

Integrity: Inadequate hospital security could lead to a loss of data integrity when unauthorized personnel modify network resources without permission. In the case described above, the doctor’s actions led to an authorized modification of the network resources, which resulted in the exposure of PII. Another possible violation of data integrity would be unauthorized alteration of the patients’ medical information, which may involve changing the patients’ treatment information, changing the billing address where prescriptions are mailed, adding a medical service that was not provided to the patients’ bill, etc.

Availability: Denial-of-service attacks could result when adversaries gain entry to the network.

Lessons learned: The following are lessons learned regarding hospital network security.

Separate networks: There is a need for each hospital to have a separate, independently owned network, even when it is involved in partnerships with other hospitals/entities. Having separate networks ensures that each hospital enforces its own network security and establishes standards for protecting the privacy and security of PII. Separate networks would also ensure that a security breach at one hospital does not affect other hospitals. Established government standards should be used to design secure technical architecture for exchanging patients’ PII.3

Personal device detection: Another lesson learned is the need for policies prohibiting the use of personal devices to access secure networks and servers that contain PII. In addition, techniques need to be implemented to (1) detect when an unknown device (such as any personal device) is connected or disconnected from the network and (2) follow up with the necessary security measures.

Training of healthcare workers: The security breach on the two hospitals’ network highlights how the lack of end-user training in the hospital environment could have devastating consequences. Research findings show that end-user security behavior can enhance the effectiveness of network security.4 In the case of hospitals, healthcare workers (e.g., doctors, nurses, and administrative staff) need to have the necessary expertise to protect patients’ ePHI. This expertise can be developed through training specifically designed to increase security awareness and knowledge about how to protect the security and privacy of ePHI. An effective security awareness training program should focus on government regulations for PII security and privacy and should also include extensive hands-on training of the technical procedures for protecting PII. Training programs should also expose healthcare workers to the consequences of data breaches; specifically, how failure to protect ePHI affects the patient and the hospital.

This post was written by: Amanda Joyce

1  Vijayan, J., 2014, “IT Malpractice: Doc Operates on Server, Costs Hospitals $4.8M,”Computerworld, May 8,  accessed June 2014.
2  Ollove, M., 2014, “ The Rise of Medical Identity Theft in Healthcare,” Kaiser Health News, February 7 ,  accessed June 2014.
3  NIST (National Institutes of Health), Health Information Technology, 2011, “Health Information Exchange (HIE) Security Architecture,” January 3, accessed June 2014.
4  Stanton, J. M., K.R. Stam, P. Mastrangelo, and J. Jolton, J., 2005, “Analysis of End User Security Behaviors,” Computers & Security, 24(2), 124–133.