Computerized information at hospitals may be highly vulnerable to snoops and hacks

NEW YORK - Digital records systems at hospitals may be vulnerable to coordinated data theft and even to simple snooping, experts say.

A survey of 180 staff at a Spanish medical center found that more than 60% used weak passwords and more than half made no attempt to safeguard personal health information on monitors from unauthorized eyes, according to data published online January 23 in the International Journal of Medical Informatics.

The findings may be similar in other medical centers in the United States and Europe, experts say.

"Hospitals are soft targets for hackers experienced in other areas like retail or the financial sector," Eric Johnson, an information technology security specialist and Dean of the Owen Graduate School of Management at Vanderbilt University in Nashville, Tennessee, told Reuters Health by email.

"In many cases, they (unauthorized personnel) don't need to guess passwords as they are often shared or written on sticky notes. In hospitals, passwords are viewed as a hindrance to urgently needed information, so they are often simple and easy to guess," said Johnson, who was not involved in the Spanish study.

The new survey, conducted at the General University Reina Sofía Hospital of Murcia, found that 62.2% of respondents had weak passwords. That means that they said that their password contains a personal name or date relevant to them, a fictional character or it is otherwise easy for others to guess. Or they said that their password is not at least eight characters including upper- and lower-case letters, numbers and special characters such as #.

And as many as 16% of those surveyed said that had written a password down and left it out where someone else could find it, sent it by email or allowed a shared computer's browser to save it for easy entry.

"Information security awareness and training play a key role to improve the current situation," said José Luis Fernández Alemán, a computer scientist at the University of Murcia, who worked on the study.

"Health care professionals should receive proper security awareness and training programs both at the beginning of and during employment as professionals in a hospital. We believe that if measures are not adopted to protect patient privacy, this will result in a loss of trust by patients that their health information privacy is protected," Fernández said.

Other notable findings from the survey include that nearly a third of the respondents did not know their hospital's policy on deleting confidential information and nearly a fifth did not follow the policy.

Poor practices seem to span age groups and experience levels. The number of years that a person had held their position did not predict good practices, neither did a person's gender, and age was only weakly linked to good practices, the researchers found.

The results most likely generalize to other European medical centers and to those in the United States, Fernández said.

"Health care systems and organizations were not built with security in mind. Changing both the systems and security culture will be very challenging," added Johnson.


Int J Med Inform 2015.

References: Reuters Health
comments powered by Disqus