Chief Information Officers (CIO’s), Risk Managers and Information Security personnel often lament that they cannot get physicians to focus on health information security. “We have anti-virus,” the doctors say. “What’s the problem?” Recent events at a Georgia hospital have proven that the doctors were, at least, half-right in their concerns about viruses.

Forbes reported, on December 19, 2011, that Gwinnett Medical Center in Georgia experienced a “computer infection” on December 14, and was forced to send all non-emergency patients elsewhere. The hospital insisted that neither patient care nor confidentiality was threatened because the Patients’ “information was safe.” http://www.forbes.com/sites/mobiledia/2011/12/19/computer-virus-shuts-down-georgia-hospital/

Patient information may have been “safe” this time but computer viruses, particularly the “worm” variety suspected here, frequently obtain and send information to the malware creators. Some of the most well known viruses, for example, attack the users’ contact lists and transmit the contact information, which is then used I for phishing and other identity theft schemes.

The HIPAA Security Rule is quite explicit that Covered Entities, such as hospitals and physicians, must create, implement and document safeguards against losses of Protected Health Information (PHI). To meet these requirements, most CIO’S, Information Security personnel and Risk Managers have focused on implementation of such security measures as access control (passwords), unauthorized disclosures of PHI, and administrative safeguards against losses of portable media (most of the recently reported breaches have comprised losses of laptops, portable hard drives and USB’s). These precautions are critical but must reach beyond mere safekeeping of the devices to portable media information controls. Forbes reported that the Gwinnett virus may have been introduced by an employee’s USB drive.

The Office of Civil Rights of the U.S. Department of Health and Human Services has commenced a program of “spot audits” for compliance with the HIPAA Security Rule. In the wake of this and similar incidents, Covered Entities and counsel and consultants assisting them should focus on protection against malware that may result in mass disclosures of PHI. It should not come as a surprise if OCR asks for the documentation of such protection during its audits.

• Tweet