HIMSS: Increase Patient Data Breaches Despite Strict Regulations
By: Maite Forrez
According to “2012 HIMSS Analytics Report: Security of Patient Data”, commissioned by Kroll Advisory Solutions, a heightened focus on HIPAA (Health Insurance Portability and Accountability Act) compliance has not yet resulted in better patient data security.
This bi-annual survey of 250 healthcare organizations shows that the percentage experiencing a patient data breach is going up. The survey asked chief information officers, health information management directors, chief privacy officers and chief security officers about the number of data breaches they knew about over the past 12 months. Findings from the survey revealed that 27% of the respondents had at least one security breach over the past year, up from 19% in 2010 and 13% in 2008.
According to the report, both human error and mobile devices (mobility) contribute to patient data breaches.
Even though 79% of respondents reported that an employee caused the security breach, only half of respondents required proof of employee training on data security policies. Two days after the report’s release, the Utah Department of Technology Services (DTS) revealed that 780,000 individuals have been affected by the theft of sensitive Medicaid information. “The Utah data breach is an example of human error because the server did not have a secure password [allowing an Eastern European hacker to circumvent DTS’s security system]”, dixit Lisa Gallagher, senior director of privacy and security for HIMSS.
As 31% of respondents indicated that information available on a mobile device was a factor in data breaches, it is clear that mobility of patient data also contributes to patient data security breaches. According to the report, the “use of new technologies, particular mobile devices in the workplace, have skyrocketed, creating new operational efficiencies and security vulnerabilities […]. As mobile devices proliferate in exam rooms and administrative areas, so do the associated vectors of potential attack”.
In its report, HIMSS urges hospitals to be more proactive about data breach prevention. “While increased regulation and better-articulated guidance have led to increases in privacy and security measures within hospitals, they also have contributed to a false sense of security within organizations that comply with these mandates”, the report states.
Therefore, health care organizations must go further than simply complying with regulations (i.e. HIPAA and HITECH Act) to protect health information; they also need to form policies of their own secure patient data. According to Brian Lapidus, senior vice president for Kroll, “organizations will need to constantly assess their security risk levels and evolve their policies and procedures to ensure that they are in the best possible position to protect their patients and their bottom lines”.
Despite the report’s result, according to others, we need to be more positive minded when it comes to resolving health privacy issues. As Ken Terry, reporter for FierceHealthIT, recently stated: “sure, there are plenty of security breaches – some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches”.
Robert Miller, the lead author of a study[1] recently published in Health Affairs states “what’s important is that people understand how their data are being used […]. It’s like informed consent”. However, if informed consent becomes too onerous, will health information exchange remain an impossible dream?
For more information, see:
– http://www.informationweek.com/news/healthcare/security-privacy/232900128
– http://www.pcworld.com/article/253827/hospitals_seeing_more_patient_data_breaches.html