Health Care Organizations Not Protecting Data Despite Increased Risk, Report Finds

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Genevieve Douglas  

Health care organizations are not keeping pace with the growing risks of patient health information data breaches, even in the face of widespread adoption of electronic health records, according to a report released March 5 by privacy and security experts.

The report, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, is the result of a collaboration called the PHI Project—made up of representatives from the American National Standards Institute's Identity Theft Prevention and Identity Management Standards Panel, the Santa Fe Group, and the Internet Security Alliance (ISA).

According to the report, breaches of patient health information are growing in frequency and magnitude with huge financial, legal and regulatory, operational, and clinical repercussions for the organizations where the data breaches occur.

Over 75 percent of respondents to a January survey of compliance professionals cited “malware infestations” as the greatest concern for data breaches at health care organizations. Additionally, 61 percent of respondents said their organizations are “very likely” or “likely” to fall prey to social engineering attacks.

Only 27 percent of the almost 1,000 respondents cited having enough resources for privacy and security compliance efforts.

The report's findings were based on a survey of PHI project participants from over 70 health care organizations.

Assessing Risk

The report detailed a five-step method for assessing security risks and evaluating the “at risk” value of an organization's PHI.

This tool estimates overall potential data breach costs and provides a methodology for determining an appropriate level of investment in safeguards to strengthen privacy and security programs and reduce the probability of a breach.

Additionally, the report recommends steps that could be taken at a regulatory level to ensure protection of PHI, Catherine Allen, chairman and chief executive officer of consulting firm the Santa Fe Group, said at a briefing about the report.

Overall, however, it should be the private sector's responsibility to build this eco-system, Howard Schmidt, cybersecurity coordinator at the White House, said at the briefing.

“When it comes to cybersecurity [the federal government has] a role … to really highlight what things are working out there and what things we need to improve on [to protect PHI],” he said.

Protecting Against Attacks

Use of electronic health record technology offers the potential for future significant benefits to health care and patients, but it also has opened up patient health information to an increasing number of threats to the privacy and trust on which the health care delivery systems is based, according to the report.

EHRs increase security threats to PHI because of:

  •  the ability to improperly disclose identifiable electronic health data of millions of individuals simultaneously;
  •  the ability for hackers to access PHI without having physical access to the data; and
  •  the inability to restore the privacy of the health data once a breach has occurred.

Motivating factors for those protecting PHI and those attacking systems to steal PHI are unbalanced, Larry Clinton, president and chief executive officer of the Internet Security Alliance, said during the briefing.

Essentially, cyber attacks are relatively simple and cheap, and the information stolen is highly valuable, while security efforts are expensive, antiquated, and hard to support, Clinton said.

ANSI plans to host a webinar March 21 at 2 p.m. EST to describe the report in more detail and explain how to use it as a practical guide for health care organizations.

For More Information

The report is available for free download at


Request Health Care on Bloomberg Law