Hospitals are building significant protection into their computerized patient records, but some gaps in execution are leaving the door open to security breaches, a recent survey shows.
Of 260 hospitals responding, 93% reported using computer access passwords, 79% limit who can gain access, and 68% have automatic computer system logoffs after a certain amount of time elapses with no activity.
But nearly half the respondents wait longer than 24 hours to deny ex-employees access to patient data (see chart). Three in 10 don't have a written policy on the use of such information, and nearly 20% don't require employees or outside consultants to sign confidentiality agreements.
Only 43% said they could track sensitive information to see who's making queries. And nearly six in 10 respondents said they don't place restrictions on what patient data can be printed.
The survey was conducted from Jan. 14 to Feb. 18 by Gordon & Glickson, a Chicago-based law firm specializing in information technology.
The delay in cutting off an ex-employee's computer access is significant because a sizable number of unauthorized users are disgruntled former employees, said Mark Gordon, a partner at the law firm. Only 15% of respondents took less than an hour to deny system access to terminated employees.
Mr. Gordon said data base access should be denied at the moment of termination.
Among other findings:
Almost nine in 10 hospitals with more than 800 beds reported having a written policy on the use of patient records, and eight in 10 required all employees to sign confidentiality agreements. By contrast, 46% of hospitals with 200 to 400 beds required such signed agreements, and 63% of hospitals with 401 to 800 beds required them.
"This finding is significant since large, urban hospitals have bigger data bases that may contain more sensitive data, such as information on patients receiving drug abuse and AIDS treatment," Mr. Gordon said.
Half the survey sample said computer data bases provide greater security than written records. Some 30% said both methods provided about the same level of security, and 12% said written records were more secure.