The tricky topic of health care information security will get even trickier with the birth of Google Health. The online service, described well in this Telegraph story, is a portal that stores users' uploaded health records, provides information and acts as an interface between them and their doctors.
The service, which is opening in beta, certainly will attract the wrong kind of customer -- hackers trying to get into what for them represents a treasure trove of data.
The last thing sick or injured people want to worry about is the security of their data. Unfortunately, they must -- at least according to the 2008 HIMSS Analytics Report: Security of Patient Data. The study, commissioned by Kroll Fraud Solutions, paints a bleak picture. This story at SC Magazine begins by pointing out that hospitals are inviting targets for hackers because they offer the "golden combination" of things they seek: names, Social Security Numbers and birth dates. The report, which got input from 263 IT executives and CSOs, found that in 2006/2007 more than 1.5 million names were breached in hospitals. The HIMSS report found a lack of awareness among professionals and vague language in laws and regulations. The piece offers interesting numbers, including the fact that little more than half -- 56 percent -- of respondents whose institutions experienced a breach notified patients.
The challenge is growing. SecureWorks, a security software-as-a-service company, reports an 85 percent increase on hacker attacks. According to this piece, it says there were an average of 11,146 incidents per client perday in the first half of last year. That number has risen to 20,630 per client per day in the last half of the year through January 2008. The report traces an increase in "client-side attacks" and notes that health care organizations hold a tremendous amount of information attractive to criminals and are burdened with a high level of "attack surfaces."
There are many ways in which criminals attack health care institutions, of course. A report from Absolute Software -- after pointing to the scary statistic that there were 46 data breaches in the United States involving 62 stolen and lost computers and resulting in nearly 5 million compromised identities in 2007 -- lists the five top risky activities. I've Been Mugged carries the list: They are the failure to go beyond encryption in protection schemes; the inability to adequately manage mobile devices; the use of public terminals for sensitive information; the lack of a data-security plan; and the lack of data -breach policies.