MIDLAND, MI – Healthcare organizations across the country like MidMichigan Health have been hit by viruses and hackers from both the outside and within during the past couple months.

“The (welshy worm) virus hit, and one-third of our capabilities went down,” said Jim Czyzewski, senior information systems specialist at MidMichigan.

This integrated delivery network — with four hospitals, several physician groups and other care facilities — supplies network access to 2,000 workstations, many of which have access to patient records and other sensitive information.

In May 2004, MidMichigan Health implemented patch software from PatchLink to protect the health network from future security vulnerabilities. Patch security provides hospital IT staff with control over the network, according to Chris Andrews, vice president of security technologies at PatchLink.

Czyzewski is confident with MidMichigan’s new security precautions.

“It gives us more than just patches,” he said. “It automatically updates new applications like McAfee virus software.”

Security breaches also can come from inside a hospital. In August 2006, several healthcare organizations such as the Vassar Brothers Medical Center in Poughkeepsie, N.Y., and Madrona Medical Group in Bellingham, Wash., had security breaches, leading to several hundred thousand patient records being stolen by former employees or unknown individuals.

Thomas Walsh, a Kansas-based information security consultant, said securing hospital perimeters through firewalls and spam filtering offers the bare minimum for security.

 “Hospitals have a good handle on the exterior, but you don’t see hospitals addressing the interior. With information security, the threat is inside,” he said.

Walsh classifies interior security threats as being either unintentional — when a user neglects to follow a hospital’s security procedures, such as email encryption — or intentional, such as when a user takes advantage of his or her access to the hospital’s sensitive information.

“It is a danger in any healthcare organization when it shares information with business associates who may not adhere to the same security standards,” Walsh said. “Who enforces them?”

Hospitals should place expiration dates on files such as billing records that are sent to business associates. Walsh also suggests that hospitals train their employees properly on network and the security procedures.

“The greatest threats to information technology are people,” he said.