The Los Angeles Times reports:

A major security breach caused patients data to fall into hackers hands. The Los Angeles bureau criminal investigation responsible to look into internet fraud has confirmed a massive data theft which literally has put 10.000 patients at risk of stolen identity theft. The Hospital has acknowledged that an intruder bypassed security measures and copied files containing patient data including social security number, health issues, birth dates, living address and work address, health insurance numbers and family member data. With this information new identities can be created for fake driver license and other ID cars, credit card applications and bank accounts can be raided. The hospital has issued a public apology and stated that counter measures are being implemented.

Unfortunately this is not an unusual situation but rather a common incident as many hospitals have not address many security issues as they should do. Many use password protection to enter files and folders but fail to recognize that passwords are carried through the internal system unencrypted and can be read by means of a $100 gadget bought in the electronic shop next door. The password can then be used to gain unauthorized access.

In many cases reported, people wondering in and out of hospitals as patients, visitors of patients or as hospital staff pass laptops sitting nearby for doctors to use and record patients’ health care events or medication prescriptions. Doctors often leave such laptops unattended when they go to the next patient’s bed site. In the meantime, people can copies files on a thumb drive in seconds and walk out the door.

As Dr. Heiner Kromer, CEO of the SECUDE group, states:

This situation is not unusual. IT managers trust firewalls to solve security issues, not realizing that security breaches can happen right under their noses. This type of problem can be solved and patients privacy protected by encrypting the data.  Not only can the laptop data be encrypted so that any downloading is impossible to decipher but signing on into the system uses stronger authentication such as two-factor or three-factor methods such as tokens, smart cards and other available methods. Even password transportation can be done in such a way the password is transported through the IT system encrypted. Had the hospital deployed such methods this would such incidents still occur?