Electronic medical records (EMRs) and the digitization of every scrap of medical information has been pushed into high gear as healthcare reform backers look for ways to improve and streamline the cost of care. A new survey of information technology practitioners reveals that most think healthcare organizations don't have adequate resources to protect patients' confidential information.
In fact, 80% of healthcare organizations surveyed admitted to at least one incident of lost or stolen electronic health information in the past year and 4% had more than five patient data breaches.
"There is a lot of medical related information being collected and put onto networks and there are vulnerabilities associated with that phenomenon. It's not new, but with what's happening at the federal level, the profile of those issues is on the rise," Mike Spinney, senior privacy analyst, Ponemon Institute (Traverse City, Michigan), told Medical Device Daily. "Organizations are putting this information into digital format, but are they taking the proper precautions? We've done a lot of research to suggest that the people at the top of the food chain in these organizations may not have an appreciation for what the real issues are in terms of security."
Ponemon just issued the report "Electronic Health Information at Risk: A Study of IT Practitioners" with backing from security management solutions developer LogLogic (San Jose, California) in which 542 senior IT practitioners from healthcare organizations with an average of more than 1,000 employees were surveyed.
Some of the most important findings include:
• A majority, 70%, said senior management does not view privacy and data security as a priority.
• About half, 53%, report that their organization fails to take appropriate steps to protect the privacy rights of patients while less than half judge their existing security measures as effective or very effective.
• The top three threats to electronic health information are virus or malware infections, loss of patient data (a data breach) and malicious employee attacks. Of these threats, the most likely to occur are identity and authentication failures, data breach and malicious employee attacks.
• Although topics for discussion, social engineering, regulatory challenges and organized cyber crime are threats that do not seem to worry those surveyed.
The world of healthcare has been talking about and slowly transitioning to EMRs for years. But that movement has been accelerated by the Health Information Technology for Economic and Clinical Health Act (HITECH), which was signed into law last February as part of the American Recovery and Reinvestment Act of 2009 with backing: $21 billion to jump start the adoption of health information technology by physicians and hospitals in order to improve healthcare quality and reduce costs. It expands on Health Insurance Portability & Accountability Act (HIPAA) rules for data security and privacy safeguards, including increased audits, enforcement and penalties. Among the enforcement provisions are mandatory patient data breach notification requirements.
"Healthcare leaders send orders down to IT security saying we have to comply with HIPAA or HITECH, but then they won't provide adequate support for resources," Spinney said. "Money is being made available through the federal government, but are they allocating resources effectively?"
He said that HIPAA has been perceived to be toothless because companies and medical offices scramble to comply with the regulation, "But it became clear that nobody was out there enforcing it," he said. "There have been some HIPAA enforcements in recent years, but it hasn't lived up to the fanfare. Overall we observed that a lot of times companies seem to be paralyzed by the thought that they need to embark on a very costly and complicated endeavor to address security. But oftentimes it's not the case. Doing nothing is not a substitute for doing something. Security is an ongoing endeavor. Threats and technology change, so it's very important to understand what improvements can be made incrementally to begin the process and it's not always a costly complicated process."
He pointed out that a lot of attention is paid to identity theft, credit card fraud and financial risks.
"Simmering behind the scenes is that folks are getting access to people's healthcare information, fraudulently using insurance policies to be treated themselves," he said.
He quoted Joanne McNabb, California's chief of the state Office of Privacy Protection, who refers to medical identify theft as "the theft that kills" because mishandled information can influence a doctor's decision such that medication can be inappropriately prescribed or fraudulently administered to others.
"A polluted medical record can lead to medical errors too," he said. "If I were in a car accident, unable to speak, the emergency management folks have my insurance card and access information about me. Perhaps some procedure was fraudulently carried out and billed that would cause a doctor to make an incorrect decision at the time of my emergency."
Spinney warned that data breaches can also occur when well-meaning institutions or doctors' offices contract out for services to digitize paper documents.
"Are you familiar with the company and are they using proper security and techniques?" he posits. "If the information is being shipped overseas where digital services are offered at steep discounts over domestic services, do you understand how they work and are the documents being properly disposed of?"
Another looming threat is access management. He said a network must be managed to provide access only to those who really need it.
"University of California, Los Angeles, Medical Center was involved in a number of recent scandals where people were leaking information on celebrities' health. This is a top-level consideration as network security is created," he said.
He said there needs to be considerable efforts made to make employees aware of their roles in protecting digitized information because more than half of all data breaches have an internal element whether negligent or malicious.
"There's a maxim we like to use: Those that have a data breach and those that will. Those that will can reduce the likelihood by just making employees aware," Spinney said.
Lynn Yoffee, 770-361-4789;