Most healthcare organizations are underprepared to protect patient privacy and secure patient data as new uses for digital health information emerge and access to confidential patient information expands, according to a report published by Price Waterhouse Cooper's Health Research Institute in New York City.
The report calls for health organizations to update security practices and adopt a more integrated approach because old privacy and security controls no longer suffice to comply with existing privacy laws and patient consent agreements.
The report states that privacy and security measures have not kept pace with new realities in healthcare. It defines these as electronic health records (EHRs), the rise of social media and mobile technology, and greater data collaboration between healthcare facilities and external partners.
A nationwide survey of 600 executives from U.S. hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies found that theft accounted for two-thirds of the total number of reported health data breaches over the past two years. Improper use of personal health information by a "knowledgeable insider" was the leading privacy/security issue experienced by healthcare organizations over the past two years, while more than one-third of hospitals and physician groups reported that they have experienced medical identity theft attempts by individuals seeking treatment.
The survey also presented the following findings:
- More than half (55%) of healthcare organizations have not addressed privacy and security issues associated with the use of mobile devices, and less than 24% have addressed these issues with respect to social media.
- While more than half of the healthcare organizations allow access to social networking while at work, fewer than half of them have a policy covering its use relating to the job outside work.
- Only 58% of providers and 41% of health insurers said they include the appropriate use of EHRs as part of employee privacy training.
- Only 17% of providers and 19% of payors have a process in place to manage patients' consent with respect to how their information can be used.
Electronic data breaches occur three times more frequently and affect 25 times more people when they occur compared to paper-based health information breaches, according to James Koenig, director of the company's health information privacy and security practice. He attributed the majority of these breaches to human error and to deliberate actions by knowledgeable insiders, rather than being the result of IT hackers.
A copy of the report can be obtained by clicking here.
