Despite privacy regulations, data breaches are not only becoming more common within the medical community, hospitals and medical centers are slow to report the breaches to patients.
During the month of May, for example, patients at Staten Island University Hospital in New York were told that a computer with their medical records was stolen four months earlier, while information on patients of the University of California San Francisco (UCSF) Medical Center was accessible on the internet. The affected patients were told six months after it was discovered.
One reason medical data breaches are increasing is because more hospitals are integrating electronic records, said Pam Dixon, executive director of the World Privacy Forum.
“Until recently, we were in an era of privacy through obscurity,” Dixon told SCMagazineUS.com on Wednesday.
With everything in paper form, it was possible to get information on a patient, but was not easily shared.
The bottom line: What once only a handful of people had access to is now accessible by any number of medical personnel, and not just within the hospital, said Todd Chambers, chief marketing officer at Courion, a provisioning and access compliance solutions provider.
“Medical information is sent out to lab firms, or patient data needs to be shared with a specialist not part of the hospital system,” Chambers said. “There is a need for more data control in these non-employee relationships.”
In the UCSF situation, the breach highlighted an otherwise little known practice of sharing patient information for fund-raising purposes. Historically, hospitals have always approached “grateful” patients for fund-raising, said Arthur Caplan, a medical and bioethics professor at the University of Pennsylvania in Philadelphia.
“What has changed is better databases with more economic data on patients, families, their businesses, their gift history, etc.,” he said. “More powerful databases represent far greater intrusions into personal privacy.”
Dixon added that the information released by UCSF included department head information, so it was possible to learn about the patient's specific medical condition.
To better protect patient records, Omar Hussain, president and CEO of Imprivata, provider of access management solutions, recommended stronger password systems, as well as stronger enforcement.
When it comes to the discussions between health care and security issues, he added, patient care always comes first. Tighter security over patient records can get in the way of offering swift medical care, so personnel opt for what is easy and quick over what is most secure.
Patients can best protect themselves in several ways, Dixon said.
“Be proactive,” she said. “If you can, be cautious about the hospital or medical center you are visiting. Monitor it for reports of data breaches and how they were handled.”