There is a lot of talk surrounding HIPAA security especially as more and more practices implement EMRs. I have attempted to shed some light on the steps you need to perform to ensure your network and patient information are protected. So when I read a story in the Vancouver Sun, I figured I would point out how NOT to implement security. This is a classic example of a how a medical institution totally ignored security.
The Vancouver Sun sheds light on the lax security at the Vancouver Coastal Health Authority. Here are some highlights (low-lights) of the story.
“In every key area we examined, we found serious weaknesses,” wrote Doyle. “Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information without the authority even being aware of it.”
“No intrusion prevention and detection systems exist to prevent or detect certain types of [online] attacks. Open network connections in common business areas. Dial-in remote access servers that bypass security. Open accounts existing, allowing health care data to be copied even outside the Vancouver Coastal Health Care authority at any time.”
“Almost all users have some access to confidential information about all clients in the database. Many clients’ full health information is accessible to a large number of users. Team memberships are not up to date, meaning that many unauthorized users could have access to client records that they should not have.”
“Former client records and irrelevant records for current clients are still accessible to system users. Hundreds of former users, both employees and contractors, still have access to resources through active accounts, network accounts, and virtual private network accounts.”
Those are some pretty serious security risks. Basically they had no way of knowing if someone hacked into their network or what they may have accessed. Almost all users had access to the EMR no matter what their job function. They never disabled user accounts after employees or contractors stopped working. In addition, the terminated employees or contractors still had remote access to the network and could still access patient information even after they stopped working for Vancouver Coastal.
The security was so weak that the auditor of the Vancouver Coastal network delayed publishing his report for 6 months to give Vancouver Coastal time to correct the security problems. In all, the auditor made 127 recommendations for changes to the security procedures.
So if you are thinking about implementing the correct procedures to ensure that your network is secure; make sure you don’t follow Vancouver Coastal’s methodologies!
Related posts:
