Try to Crack This

How disastrous would it be if criminals hacked their way into the equipment and private information in your hospital? Recently, I tried to sign into 24×7’s Facebook page and received an alert that someone had tried to sign into my account. The Facebook notice had a link to the geographic location of the “person” trying to access my account. I was able to click on it in case I had been in that area—San Carlos, Calif. I hadn’t. The notice then suggested I change my password for the site and for any other site connected to my account.

I had two concerns: One, a general concern about someone trying to access my account, and two, whether or not this notice really came from Facebook. Granted, I am not overly knowledgeable about all this, but I do know that the e-mails I receive that “appear” to be authentically from Facebook—the ones that tell me it had to change my password due to a problem and all I need to do is open the attached zip file—are phony. Beyond that, I’m not always sure.

For this particular notice, I checked with a couple of colleagues, and we determined this legitimately came from Facebook. So I changed my password—to something I cannot remember most of the time. And that’s sort of the point—creating passwords that make it difficult for hackers to crack.

In this month’s issue, Jeff Kabachinski has written an excellent “Networking” column on this topic. When I asked how often CEs/BMETs use passwords and if a department might use a “general” password for the department, he said, “In the hospital, just about every piece of equipment has a password. In medical equipment, the service access password will most likely be the same for all the service personnel. In terms of large computer systems, though, there can be levels of access.”

He gave an example of an ECG database or other server/system of patient information where each user would have their own password to go with their login ID, which controls the level of access. In billing, for instance, he said that the person who generates the actual bill will have a deeper level of access than others because he or she can see the patient’s insurance particulars such as co-pay and other personal information. These levels protect information because, Jeff said, “The more information the bad guys can get about someone, the more likely they are to steal identity.”

Security issues continue to concern me, personally and in health care. According to a press release, the Identity Theft Resource Center recorded a nearly 33% increase in data breaches from 2009 to 2010, which exposed more than 16 million records.

Set to address these very issues, the HIMSS11 Annual Conference & Exhibition in Orlando, Fla, February 20 through 24, will tackle security as well as other topics. A session titled, “The Need for a National Healthcare Security Framework,” directly addresses my concerns. Its objectives include describing why ongoing risk assessments are not enough to maintain security controls in a health care organization, how Meaningful Use requirements implemented without a security framework program are inherently dangerous, why the health care industry needs to take the lead in developing and maintaining a health care security framework, and the tools and resources needed as part of a health care security framework.

Very intelligent people are on the case, yet breaches still happen. Before we are forced into an electronic health record, shouldn’t the issues covered in the above session already be in place? What do you think? Blog about it with me.

Julie Kirst