By Genevieve Douglas
Health care organizations are not keeping pace with the growing risks of patient health information data breaches, even in the face of widespread adoption of electronic health records, according to a report released March 5 by privacy and security experts.
The report, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, is the result of a collaboration called the PHI Project—made up of representatives from the American National Standards Institute's Identity Theft Prevention and Identity Management Standards Panel, the Santa Fe Group, and the Internet Security Alliance (ISA).
According to the report, breaches of patient health information are growing in frequency and magnitude with huge financial, legal and regulatory, operational, and clinical repercussions for the organizations where the data breaches occur.
Over 75 percent of respondents to a January survey of compliance professionals cited “malware infestations” as the greatest concern for data breaches at health care organizations. Additionally, 61 percent of respondents said their organizations are “very likely” or “likely” to fall prey to social engineering attacks.
Only 27 percent of the almost 1,000 respondents cited having enough resources for privacy and security compliance efforts.
The report's findings were based on a survey of PHI project participants from over 70 health care organizations.
The report detailed a five-step method for assessing security risks and evaluating the “at risk” value of an organization's PHI.
This tool estimates overall potential data breach costs and provides a methodology for determining an appropriate level of investment in safeguards to strengthen privacy and security programs and reduce the probability of a breach.
Additionally, the report recommends steps that could be taken at a regulatory level to ensure protection of PHI, Catherine Allen, chairman and chief executive officer of consulting firm the Santa Fe Group, said at a briefing about the report.
Overall, however, it should be the private sector's responsibility to build this eco-system, Howard Schmidt, cybersecurity coordinator at the White House, said at the briefing.
“When it comes to cybersecurity [the federal government has] a role … to really highlight what things are working out there and what things we need to improve on [to protect PHI],” he said.
Use of electronic health record technology offers the potential for future significant benefits to health care and patients, but it also has opened up patient health information to an increasing number of threats to the privacy and trust on which the health care delivery systems is based, according to the report.
EHRs increase security threats to PHI because of:
Motivating factors for those protecting PHI and those attacking systems to steal PHI are unbalanced, Larry Clinton, president and chief executive officer of the Internet Security Alliance, said during the briefing.
Essentially, cyber attacks are relatively simple and cheap, and the information stolen is highly valuable, while security efforts are expensive, antiquated, and hard to support, Clinton said.
ANSI plans to host a webinar March 21 at 2 p.m. EST to describe the report in more detail and explain how to use it as a practical guide for health care organizations.
The report is available for free download at http://webstore.ansi.org/phi/.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).