Report Says Patients At Risk Of Hospital Security Policy Gaps

Apr 8, 2008 4:04 PM

           

The health care industry’s focus on medical privacy and compliance has fostered a lack of awareness around the frequency, cause and seriousness of patient identity theft, according to the 2008 HIMSS Analytics Report: Security of Patient Data commissioned by Kroll Fraud Solutions, a provider of data protection and identity theft response services. The report reveals a significant blind spot that hinders hospital efforts to contain the problem and reduce risk.

“Health care facilities are complex environments where information is stored and shared in a number of ways that are critical to patient well-being,” says Brian Lapidus, chief operating officer of Kroll Fraud Solutions. “Until health care organizations expand their data security measures to address the threat of data compromise as well as privacy and compliance, patients will continue to be at risk.”

Key report findings include:

• Regulatory loopholes in data management standards allow data breaches to go unreported, preventing an accurate measurement of frequency.
• Only 56 percent of breached organizations surveyed notified the patients involved.
• On average, respondents ranked their familiarity level with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) at a 6.53 (on a scale of 1-7, with 7 being the highest) and nearly 75 percent claimed a familiarity level of 7.
• The high level of HIPAA familiarity stems from the commencement of audits and the resulting penalties for non-compliant facilities. The issue: HIPAA compliance is an insufficient proxy for risk mitigation.
• Security policies place a greater emphasis on preventing violation of privacy than preventing fraud and malicious intent.
• Of those respondents who experienced a fraud-related breach, 62 percent identified the type of the breach as unauthorized use of information, while 32 percent cited wrongful access of paper records.
• Noticeably absent were breaches attributed to malicious intent (i.e., stolen laptops/computers, deliberate acts by unscrupulous employees, and cyber attacks through the Internet).
• Health care organizations lack appreciation for the costs of a breach.
• Only 18 percent of breached organizations surveyed believed there was a negative financial impact, even though the average cost of a breach is estimated to be as high as $197 per compromised record and $6.3 million per incident.

“The number one priority of U.S. health care institutions is saving the lives of those in need and rightly so, I might add,” says Lisa Gallagher, senior director of privacy and security for the Health care Information and Management Systems Society (HIMSS). “But patient safety extends beyond clinical care. This data tells us that organizations must also broaden their data security and risk management measures to address the threat of patient data breach.”

Among the 13 percent of respondents who revealed that their facility had experienced a data breach:

• 48 percent indicated that “reprimanding the employee” is effective breach response, while 11 percent offer “education” as a solution.
• 35 percent says that they did not change the organization’s security policy after the incident.
• Identity theft is three times as likely to happen at a larger facility (more than 100 beds) than a smaller facility (under 100 beds).

The report also indicates that health care organizations are focusing their security programs on employee education with nearly all respondents reporting that their organizations educate employees about the importance of maintaining patient data security. Almost 50 percent cited reprimanding or terminating the employee as an element of their organizations’ breach response plan and 35 percent of breached organizations surveyed did not change their security policies after the incident.

”There’s a dangerous assumption in the healthcare industry that education leads to policy implementation and change,” Lapidus says. “Best practices in data security cannot be achieved by employee training alone. Organizations must make data security a part of their DNA, reflected in every aspect of business operations.”

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

SUBSCRIBE

Select an Issue April 1, 2008 March 1, 2008 February 1, 2008 January 1, 2008 December 1, 2007 November 1, 2007 October 1, 2007 September 1, 2007 August 1, 2007 July 1, 2007 June 1, 2007 IP Security Supplement May 1, 2007 April 1, 2007 March 1, 2007 February 1, 2007 January 1, 2007 School Security December 1, 2006 November 1, 2006 October 1, 2006 September 1, 2006 August 1, 2006 July 1, 2006 June 1, 2006 May 1, 2006 April 1, 2006 March 1, 2006 February 1, 2006 January 1, 2006 December 1, 2005 November 1, 2005 October 1, 2005 September 1, 2005 August 1, 2005 July 1, 2005 June 1, 2005 May 1, 2005 April 1, 2005 March 1, 2005 February 1, 2005 January 1, 2005 December 1, 2004 November 1, 2004 October 1, 2004 September 1, 2004 August 1, 2004 July 1, 2004 July 1, 2004 June 1, 2004 May 1, 2004 April 1, 2004 March 1, 2004 February 1, 2004 January 1, 2004 December 1, 2003 November 1, 2003 October 1, 2003 September 1, 2003 August 1, 2003 July 1, 2003 June 1, 2003 May 1, 2003 April 1, 2003 March 1, 2003 February 1, 2003 January 1, 2003 December 1, 2002 November 1, 2002 October 1, 2002 September 1, 2002 August 1, 2002 July 1, 2002 June 1, 2002 May 1, 2002 April 1, 2002 March 1, 2002 February 1, 2002 January 1, 2002 December 1, 2001 November 1, 2001 October 1, 2001 September 1, 2001 August 1, 2001 July 1, 2001 June 1, 2001 May 1, 2001 April 1, 2001 March 1, 2001 February 1, 2001 January 1, 2001 December 1, 2000 November 1, 2000 October 1, 2000 September 1, 2000 August 1, 2000 July 1, 2000 June 1, 2000 May 1, 2000 April 1, 2000 March 1, 2000 February 1, 2000 January 1, 2000 December 1, 1999 November 1, 1999 October 1, 1999 September 1, 1999 August 1, 1999 July 1, 1999 June 1, 1999 May 1, 1999 April 1, 1999 March 1, 1999 February 1, 1999 January 1, 1999 December 1, 1998 November 1, 1998 October 1, 1998 September 1, 1998 August 1, 1998 July 1, 1998 June 1, 1998 May 1, 1998 April 1, 1998 March 1, 1998 February 1, 1998 January 1, 1998 December 1, 1997 November 1, 1997 October 1, 1997 September 1, 1997 August 1, 1997 July 1, 1997 June 1, 1997 May 1, 1997 April 1, 1997 March 1, 1997 February 1, 1997 January 1, 1997

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue