According to a recent article in Federal Computer Week, foreign criminal hackers are targeting American health records.
Mark Walker of DHS Critical Infrastructure Protection Division recently told a National Institute of Standards and Technology workshop that the hackers' primary motive seems to be espionage. For example, any health problems among the nation's leaders would be of interest to potential enemies, he said.
Walker cited two events from 2007. In one, a virus was placed on the Centers for Disease Control and Prevention Web site. In another, there was a known data breach in the Tricare records for the Military Health System.
The Department of Homeland Security wants to build a database of health care-related data breaches. At present, Walker told the workshop that the DHS only has a vague understanding of data loss connected with health care services.
On a related note, the U.S. Department of Health & Human Services has outlined the bases and procedures for imposing civil money penalties on covered entities that violate any of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) Administrative Simplification Rules. The Centers for Medicare and Medicaid Services (CMS) will enforce HIPAA Transactions and Code Set Standards, while Office for Civil Rights will enforce Privacy Standards. The final rules for security compliance cover specific areas of data storage, such as who must be interviewed regarding compliance, and what aspects of the company's IT security policy must be reviewed.