The potential for personal health data breaches is significant and increasing, according to a report issued in January by Deloitte Center for Health Solutions, Washington, D.C., as healthcare providers move to automated health care.
The report, Privacy and Security in Health Care: A Fresh Look, summarizes various security studies over the past year that point to a lack of preparedness on the part of providers for mitigating privacy and security risks. Root causes vary, but include a lack of internal human and capital resources, lack of internal controls over patient information, lack of upper management support, outdated policies and procedures, and inadequate personnel training.
Selected findings of recent studies include:
- Nearly 85 percent of hospitals are not in compliance with the HITECH Act; and 41 percent of hospitals have at least 10 data breaches annually, according to a 2010 National Survey of Hospital Compliance Executives, which polled 220 hospital executives from 43 states.
- Last September the Ponemon Institute, in a Benchmark Study on Patient Privacy and Security said that 60 percent of hospitals had two or more data breaches in the last two years; and that data breaches cost organizations on average $1 million annually.
- A 2010 HIMSS Security Survey, conducted between September and October, found that nearly 50 percent of respondents indicated that less than 3 percent of their IT budget is allocated for information security. The study polled 272 executives from hospitals, medic al practices, payers, home health agencies, military health facilities and HIEs. It concluded that, although awareness of new privacy and security provisions has increased over the prior year, preparedness has not kept pace.
The Deloitte report notes that privacy and security regulations have historically focused on internal security processes. This is no longer true today, as today culpability has been expanded to downstream entities. It recommends three strategies that healthcare organizations can follow to guard against privacy risks:
- Risk management: Identify and assess data security risks and develop appropriate security controls. This allows organizations to make informed decisions on how to allocate their security resources.
- Security and privacy program: Develop and implement policies, procedures and training. This creates baseline standards for secure handling of sensitive patient data, and creates awareness within the organization of data privacy and security policies.
- Compliance: Validate effective risk management and governance. This reduces organizational risk, creates customer trust in an organization’s protection of PHI; and reduces the potential for financial penalties.
The report concludes that as healthcare reform improves the quality, efficiency and coordination of healthcare delivery and payment systems, each participant will be exposed to increased privacy and security risks. It urges stakeholders to take steps now to mitigate those risks.