Hospitals underrate malicious intent in data breaches

Experts say there are also lessons about data security for physician practices in the HIMSS study findings.

By Pamela Lewis Dolan, AMNews staff. May 26, 2008.

Hospitals generally are well aware of what they have to do under the Health Insurance Portability and Accountability Act to ensure the security of patient data. They are also aware that their own employees might be the ones who breach that security.

However, hospitals generally underestimate the malicious intent and the financial damage involved in data breaches and are unaware they're being targeted by perpetrators wishing to commit identity theft or medical fraud.

That is the conclusion of a recent report by the Health Information and Management Systems Society. The report was based on responses to a January telephone survey from 263 hospital executives responsible for patient data.

"I think ... hospitals, they may stick their heads in the sand, and they don't want to acknowledge that people want to access people's data for personal gain," said Brian Lapidus, chief operating officer of Kroll Fraud Solutions. Kroll, which sells data protection and identity theft response solutions, commissioned the study by HIMSS.

The report did not look into breaches at physician practices. But some experts say physicians also underestimate their chances of being targeted.

Mike Spinney, spokesman for Ponemon Institute, a Traverse City, Mich.-based think tank that researches privacy and data security issues, said while breaches are commonly discovered at hospitals and large medical groups, too often physician practices adopt a mentality that they are too small to be targeted.