The Coalfire Blog

Viruses and Vendors Can Put Healthcare Data At Risk

August 09, 2011, Andrew Hicks, Director, Healthcare Practice Lead

A recent article in Healthcare Security Info highlights that computer viruses can cause security breaches, that can then in turn compromise health care data and potentially violate the HIPAA and HITECH Act regulations. Beth Israel Deaconess Medical Center in Boston had to notify more than 2,000 people that a computer virus sent data, including medical record numbers, names, etc. to an undisclosed location.

The cause? A computer maintenance vendor did not restore computer security controls after working on a machine.  This news emphasizes three things that healthcare providers must be vigilant about:

• Computer viruses can lead to breaches;
• Outside vendors (business associates) can be the source of breaches;
• Maintenance periods can introduce unintentional risks.

How can healthcare companies mitigate these dangers? The first step is developing an understanding of what HIPAA and HITECH both require and knowing where security responsibilities lie. An independent audit from a reputable risk assessment firm can clarify these issues and identify security weaknesses before problems arise.

Beth Israel’s reaction to the incident should be applauded. HITECH does require them to notify individuals of a breach, and their timeliness and offer of free identity protection services show their dedication ed to their patients.