The Washington Post published a report that is highly critical of the security of patient information in the healthcare industry.
A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problem
Avi Rubin a computer scientist and technical director of the Information Security Institute at Johns Hopkins University was quoted:
I have never seen an industry with more gaping security holes,” said Avi Rubin, “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.
John Halamka, a physician and Harvard University professor who is co-chairman of the HHS health information technology standards committee gave a more optimistic view:
Health-care industry is “not as good” as in other industries. But he added that the industry is aware of the problems and is scrambling to make improvements.
“It’s completely headed in the right direction,” he said.
The Department of Health and Human Services (HHS) encourages healthcare organizations to combine cultural, practical and technical solutions to protect patient information. They also point out that 2012 was a record year of enforcement and fines collected for failing to protect patient privacy and security.
HHS officials said health-care providers must combine cultural, practical and technological solutions to defend against theft and hacking. The officials also said that they have ramped up enforcement efforts against organizations that failed to protect patient information.
“While there is always more work to do, we have reached record settlements against companies who violated privacy laws and sent a message to everyone that privacy violations will not be tolerated,” said Leon Rodriguez, director of the HHS Office for Civil Rights.
It seems that most people are aware of the security vulnerabilities to patient information but there is not a great deal of concern
The doctors and technicians I spoke with seemed mostly well aware that their systems are vulnerable,” said Rubin, who has previously found security problems in voting machines. He said that health care “is an industry with the least regard, understanding and respect for IT security of any I’ve seen, and they have some of the most personal and sensitive information of anyone.
The report is not surprising but it does show how widespread the lack of security is in the healthcare industry. The question that needs to be answered is when will organizations take security seriously and put their best efforts towards securing patient information and medical devices? Hopefully it will not take a security incident of epic proportions to wake up the healthcare industry.