Hospital did the right thing, but they should look at their computer security

My medical clinic has contracted out the online medical records system.
And no one at the clinic has any idea of how safe they are, they do not even understand the problem.

sigh.

Forget your credit card details, hackers make 10 times more money from stealing your medical records – and they’re easier to get as hospitals' cyber security is so poor

Hospitals and health care providers are 'easy targets' according to experts
Hackers make ten times more selling medical records than credit cards
Chinese hackers recently stole 4.5 million medical records from US firm
Hackers can steal thousands of dollars before irregularities are spotted
Cyber criminals can make ten times more money hacking someone's medical information rather than their credit card details, new research has shown.
The FBI has warned US health care providers of the new threat after a group of Chinese hackers stole personal information from 4.5 million patients after targeting the computer network of Community Health Systems Inc.
http://www.dailymail.co.uk/news/article-2769109/Forget-credit-card-details-hackers-make-money-stealing-medical-records.html

Were not hackers. They worked at the hospital, and the hospitals computer system was not secure. Each user has privledges what they can or cannot access. They obviously had the rights or privledges for certain areas where they should not of had access. This has nothing to do with India or Asia dealing with medical records. It was local, by two employees who had access to information they should not have. It also has nothing to do with hackers

It is entirely internal

job gave them access to the system who illegally accessed the medical records, and not hackers or foreign contractors or anything like that. This kind of thing happens a lot more than people think, frankly, not all health care employees are stellar, honest, upright people (although most are). Just last year, in the town I recently moved from, a hospital records clerk was fired for accessing the medical records of her married lover's wife who had cancer; she and her lover wanted to find something to use against her to get custody of the children once he filed for divorce. She was immediately and summarily fired, then blamed the sick wife, of course, being the selfish thoughtless bitch that she was.

I will never figure out health care employees who do this, HIPAA is VERY clear about it and is taken VERY VERY seriously by hospitals, clinics and physician offices as they can be held federally liable for such breaches. It is drilled into all employees at these offices that they will be immediately fired and blackballed from future employment in the field, as well as possibly prosecuted. Unfortunately, that doesn't seem to stop some of them. I guess curiosity really does kill the cat.

The way it works is this: every access to every patient record is recorded. In the case of high profile patients, they will watch the records and see if there was an access by somebody not actively involved in treatment. They also randomly check records to verify who has accessed and will question any questionable access they come across.

The reason for this is simple. You can't reasonably "customize" access for each individual patient because you can't predict who will require access on any given day, at any given moment.

I may get a phone call from the doctor on a case asking for a result from earlier in the day when I was not on duty. I didn't run the test, but I need to access that patient's records. I've had calls from other hospitals 2 days after patients were shipped out asking for results we got on samples pulled while they were in our ED, looking for comparisons or culture results.

When I'm running the chemistry bench, in the afternoon I will access the list of ED patients admitted for the day. My reason is to see what kinds of complaints have been admitted within the past hour to see if it's a good time to bring the analyzer down for maintenance, cals and QC. If a chest pain came in 5 minutes ago, I'll postpone maintenance. If nobody within the past hour looks critical, I'll go ahead with it.

When I'm confirming results on a patient, I'll look at their history for comparison, along with their diagnosis. If the "pattern" I see fits, I'm good. If the "pattern" is out of whack, I'm going to do some digging. Why do I do this? A couple years ago, a very good lab tech didn't check a patient's normal looking results. The results shouldn't have been normal looking -- that patient had been admitted the night before with a critical WBC, which could not possibly have resolved overnight. Turns out in the middle of the night an ED nurse drew 2 patients and mislabeled their tubes. A critical patient had been sent home and a healthy patient admitted. The mistake possibly could have been caught the night before, when symptoms didn't fit diagnosis (really complaint), and certainly could have been caught in the morning when the patient 'miraculously' recovered.

So we require free access, but we also need to have a good explanation for why we accessed.