After recent incidents in different medical facilities in two states, including a hospital and a radiology lab, the significance of securing medical data from both internal and external threats has been amplified.

One incident involved three Tucson University Medical Center employees and a contracted nurse. Each was each fired for illegally accessing confidential patient records after the well-publicized shooting spree at a political event that led to the grave injuries of U.S. Rep. Gabrielle Giffords and 18 others, including six who were killed.  

While the hospital released a statement that reported it wasn’t aware of any confidential patient information being publicly released, it would not disclose how many patients were affected by the unauthorized records access, nor would it disclose whether Giffords’ records had been part of the breach or what type of information was involved. The statement said that the patients involved had been notified of the breach.

The hospital said it uses “sophisticated technology” that is designed to prevent and detect inappropriate access—but just like most healthcare organizations, a certain level of trust is granted to personnel who need to access sensitive records for patient care, billing and various other purposes.  And, thanks to technology like mobile and cloud based systems, these trusted individuals have the ability to easily transfer and share confidential patient information with unauthorized parties.

Intentionally or otherwise, malevolent insiders are often put in positions of trust—and their levels of access are not always clearly defined. Some industry experts suggest that the best way to keep tabs on those who would attempt unauthorized access is to implement zero-trust access control, in which all network traffic is actively logged and analyzed on a consistent basis.

So, rather than having a variety of access levels, which would allow some people to have more access than others, a zero-trust environment would mean that when healthcare employees access confidential patient records, only the specific bit required to do their jobs would be revealed—nothing else.
Should healthcare organizations protect sensitive patient data internally in the same way it’s protected from external security risks? Proponents of zero-trust environments say that it’s no longer prudent to extend any level of trust to insiders with regard to medical records, especially now that most are electronically stored, making them easier to breach.

The second recent incident that raised red flags among healthcare professionals in regard to the security of patient records probably had nothing to do with accessing patient information, but still created a serious security risk. In November 2010, a group of gamers hacked into New Hampshire-based Seacoast Radiology’s server and used it to host the “Call of Duty: Black Ops” computer game. While these gamers probably had no interest in the other information on the server, more than 230,000 patients’ medical records were stored there. This meant that Seacoast was required to notify each patient of the breach, since their names, social security numbers, diagnoses and other sensitive information were stored there.

In this case, the breach was brought to Seacoast’s attention by an outside security firm which noted a loss of bandwidth and proceeded to investigate.

The vulnerability in the network that allowed the gamers to hack into the server has been fixed and the incident was reported to the New Hampshire attorney general as required by law, but investigators weren’t able to determine how long the gamers had been illegally using the server.

Based on incidents like these, it would seem that security measures need to be omnipresent throughout each healthcare organization’s network—that patient information must be protected against internal as well as external threats.