After several security breaches exposed the data of tens of thousands of patients at Children’s Mercy Hospital, its new CEO is making changes to better protect medical information.
“It’s one of the first priorities that I encountered and have ensured that we are progressing on,” said Paul Kempinski, who took over the hospital system in November after longtime CEO Randall O’Donnell retired. “There’s no question we’re making the investments. We’re doing the right thing. However no CEO in the country at any hospital can guarantee a fail-safe environment.”
Kempinski said O’Donnell’s 25-year tenure had clearly taken Children’s Mercy “to new levels” and it was on its way to becoming one of the top five children’s hospitals in the country, in terms of research and clinical care.
But he said more had to be done to combat hackers looking to nab patient data and sell it online, or hold it for ransom.
“It’s one of the biggest risks for any health care organization in the United States, or the world for that matter,” Kempinski said. “It’s the new form of terrorism within our realm.”
Patient information is protected under the federal Health Insurance Portability and Accountability Act, or HIPAA, and medical providers can face millions in fines when they leave information vulnerable.
The U.S. Department of Health and Human Services is investigating more than 400 medical privacy breaches reported within the last two years by providers large and small across the country.
A disproportionate share of them in recent years have occurred in Missouri, The Star reported in 2017. Among those, Children’s Mercy has been responsible for at least one a year since 2016.
The most wide-ranging was an online hack in 2018, after an employee fell for an email “phishing” scam. The hacked information included dates of hospital stays and procedures, diagnoses and conditions and other clinical data. More than 63,000 people were affected.
Other recent medical privacy breaches at Children’s Mercy were not the result of sophisticated hacks. In 2017, the hospital reported that a physician had created an unauthorized, unsecured website with notes about patients’ cases. About 5,500 people were exposed in that incident.
A couple hundred more patients had their information exposed in 2016, when paper records were stolen from a Children’s Mercy employee’s car.
The Star also reported last year that Children’s Mercy was one of several area hospitals using unencrypted pagers to send medical information that could be intercepted by anyone with knowledge of radio wave technology and about $30 worth of equipment. Children’s Mercy officials said they worked with their communications vendor to move to a secure pager system after they were alerted to the potential breach.
Kempinski said the hospital is investing in technology and training to prevent such incidents and conducting regular drills to test the security of computer systems.
“I think we’ve made great inroads in that,” Kempinski said. “I will say, however, that the bad guys are very smart and they’re evolving their efforts at as rapid a pace as we are. … So this will be a struggle that goes on for a long, long time.”
Kempinski said that although every medical provider has a responsibility to protect patient information, it’s perhaps even more important at a children’s hospital because parents are naturally protective of their kids.
“There’s no question we had some vulnerability in the past,” Kempinski said. “But I think we’re doing the right things to ensure that we’re protecting data, information and especially the privacy of our patients and our own employees, for that matter.”