ABSTRACT
Information security is an ever-evolving endeavor. We are regularly bombarded by large-scale security breaches. In 2014, the Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act (HIPAA) Title II fined two New York City (NYC) hospitals $4.8 million for a security breach [3] of Electronic Protected Health Information (ePHI). The hospital systems were secure but a physician’s personal computer/server was at fault. In another security breach target, one of the largest retailers in the United States reported that 70 million customer data had potentially been compromised [9]. The Wall Street Journal reported that “Target attackers were able to gain access to the retailer’s system by way of stolen credentials from a third-party vendor.” Target’s systems may have been secure, but a third-party vendor’s security was lax, so they gained access through a backdoor. Security breaches often occur through innocuous lapses in security in tertiary systems. Simple, easily hacked passwords such as 12345, leaving a system unattended, and phishing, a form of social engineering where an individual is fraudulently contacted to reset his or her password and provide confidential information, are some of the many techniques used to breach a system’s security. “They lunge, we parry” is a fencing analogy, a continual dance of attack/defense, that will probably always be with us. The benefits of electronic health records (EHRs) far outweigh any potential security breaches. Healthcare professionals sharing data and evaluating the effectiveness of treatments and real-time consults are moving medical practices exponentially forward. This chapter discusses medical computer security best practices that will evolve over time (Figure 5.1).
