EXCLUSIVE TO THCB: HIMSS Analytics, the research arm of the powerful, thoughtful and highly regarded Health Information Management Systems Society, has published a sobering study, Security of Patient Data – see here – that highlights the gap between hospital patient data security practices and the reality of impacts if a breach occurs. The report, commissioned by Kroll Fraud Solutions, should be a splash of cold water to health care executives in all settings with responsibility for patient data. A link to the Executive Summary has been placed at the bottom of this post.
In the wake of several recent incidents involving breaches of celebrity records, what’s fascinating about the study is that the executives interviewed claimed a very high familiarity with HIPAA rules; they averaged 6.53 (on a 7 point scale) and 75 percent of those interviewed gave themselves a 7. The report attributes the high sense of HIPAA knowledge with the current rounds of HIPAA compliance audits and the penalties for non-compliance that have resulted in some cases.
Still, it is clear that a focus on HIPAA compliance does not address
the broader risks that may be associated with malicious breaches. Even though the average total cost of a breach can reach $197 per record and $6.3 million per incident, fewer than one in five organizations that admitted to breaches believed that there was financial liability involved. Equally worrisome, while most surveyed organizations responded to data breaches through employee reprimands (48 percent) or education (11 percent), about a third (35 percent) did not change their security policies after the incident.
The larger point here is that most health care organizations BELIEVE they’re aware of and handling the risks. But health care is comprised of exceedingly complex information environments that demand comprehensive patient data security approaches. Compliance with HIPAA, even as thorough as it strives to be, does not appear to provide the breadth of protection that is now required to protect the privacy and security of patient information.
Later this week, I’ll facilitate a Webinar discussion that will talk in more depth about these issues. Lisa Gallagher, HIMSS Senior Director of Policy and Privacy; Jennifer Horowitz, HIMSS Analytics Senior Director of Research; and Brian Lapidus, Kroll Fraud Solutions Chief Operating Officer, will serve on the panel. We’ll announce and post that Webinar here when it becomes available as well.
How do the medical profession feel in regards to patient’s records becoming electronic now? Is it to do with keeping costs down, or to check on who is inputing the information required correctly?
Linda, you are right that European legislation needs to be stronger with respect to the security of patient data. There is lot of research going on this field. I, being myself an avid reader of security articles, came across one research article in IEEE publications. The paper is quite interesting and innovative. Have a look at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4238997
The security of personal data is very important in EU legislation. In working for a social media company interested in the emerging health concerns of the increasingly European (rather than simply national or state-oriented) market, I have discovered that European protections/restrictions on sharing private patient data are far more protective than those found in the USA. It’s interesting considering our different policy approaches to health care provision.