The trusted source for
healthcare information and
EHR coming on strong, but so are security risks
You may be proud of your hospital's progress towards adopting electronic health records (EHR), but you could be overlooking the additional risks of data security breaches.
a.recent study found that many hospitals are rushing to adopt EHR in an effort to cash in on government incentives, but they are not adequately addressing data security and data privacy issues.
The study researchers coaxed health care leaders into providing candid, unvarnished assessments of their data security, and the results are alarming. Nearly three-quarters of hospitals reported inadequate resources for protecting data, and more than half said they had no confidence in their ability to prevent data breaches.
Data breaches can result in significant liability $2 million per incident, according to the study. Lawsuits filed by patients are one risk, as illustrated by a class action lawsuit recently filed against AvMed Health Plans in Gainesville, FL.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 requires health care providers to provide stronger safeguards for patient data and to notify patients when their information has been breached, so the Ponemon Institute in Traverse City, MI, developed the study to determine how well health care providers are managing security as they increase the use of EHR. Ponemon conducts independent research on privacy, data protection and information security policy, as well as providing consulting services.
The "Benchmark Study on Patient Data Security Practices" also examines each health care organization's privacy and data protection compliance activities, including policies, program management activities, enabling security technologies and security governance practices in addition to their ability to comply with the notification requirements mandated by HITECH.
(The full study can be found online at http://www2.idexpertscorp.com/resources/healthcare/healthcare-articles-whitepapers/ponemon-benchmark-study-on-patient-data-security-practices/?utm_source=Ponemon%2BRedirect&utm_medium=Online&utm_campaign=Ponemon%2BRedirect/)
Cloud computing needs attention
The study results suggest problems not just for the security of data within a hospital but also for that data when it is aggregated into off-site resources "cloud computing" is one example that allow easier access and synthesis, says Roy E. Hadley Jr., JD, a partner with the Cloud Computing and Cyber Security Practice of the Atlanta law firm of Barnes & Thornburg.
"It is readily apparent that securing the cloud is a work in progress and probably a work in its infancy," Hadley says. "What you see from the work at the Ponemon Institute is that there are still a lot of data breaches, and a lot of them are still of the physical kind where someone lost a laptop or tossed records in a Dumpster. But I'm worried that as we move more to the cloud, data security breaches are going to become more prevalent. That's the big concern."
Risk managers must ensure that data security is a top priority when others in the organization are touting the benefits of EHR and getting everyone excited about making the switch, says John L. Watkins, JD, also a partner with the Cloud Computing and Cyber Security practice of Barnes & Thornburg in Atlanta.
a. the government and both political parties push the health care industry to adopt EHR and off-site data management, such as cloud computing, the potential risks may not be getting enough attention, he says.
"When you aggregate information in a central location, you create a target-rich environment for bad actors," Watkins says. "That has to be considered when you think about moving medical records to the cloud, which conceptually sounds like the logical way to do it."
More than half starting EHR
The researchers interviewed senior-level personnel at health care providers to collect data on the actual data loss and data theft experiences at their organizations. A total of 65 health care organizations participated in the study. The health care organizations participating in the study are integrated delivery systems a network of health care organizations under a parent holding company (35%), part of a health care network (46%) and stand-alone hospital or clinic (17%).
Fifty-six percent of respondents have either fully implemented or are in the process of implementing. Respondents interviewed work in all areas of the organization: security, administration, privacy, compliance, finance, and clinical.
"Our study found that data breaches remain a frequent occurrence at health care organizations threatening patient privacy and leaving healthcare organizations with a heavy financial burden," the Ponemon researchers concluded.
These are some key findings of the study:
Data breaches are costing the heath care system billions.
a.cording to respondents in the study, the economic impact of data breach incidents over a two-year period is approximately $2 million per organization the direct costs and associated financial losses of remediating a data breach incident.
Because the study primarily focuses on hospitals, researchers calculated the total economic burden created by data breaches on U.S. hospitals as almost $12 billion.
Most health care organizations experience undetected breaches of patient data due to lack of preparation and staffing.
Health care organizations in the study reported inadequate resources (71%), few (if any) appropriately trained personnel (52%), and insufficient policies and procedures in place (69%) to prevent and quickly detect patient data loss. These realities have left organizations with little or no confidence in their ability to appropriately secure patient records (58%).
Protecting patient data is not a priority.
Seventy percent of hospitals say that protecting patient data is not a top priority. The majority of responding organizations have less than two staff dedicated to data protection management (67%). Most at risk is patient billing information and medical records, which are not being protected. In addition, patients are typically first to detect a significant number of breaches at health care organizations (41%).
Federal regulations have not improved the safety of patient records.
The passage of the HITECH Act widened the scope of privacy and security protections under HIPAA to provide stronger safeguards for patient data. Despite the intent of these rules, the majority (71%) of respondents do not believe these new federal regulations have significantly changed the management practices of patient records.
False sense of security is common
The results suggest health care providers are not fully considering the impact of switching to EHR, the researchers say. They often are under the impression that EHR improves security, when the opposite can be true.
"Respondents in our study believe the move to EHR may make patient records more secure," the researchers write. "While the move to EHR may solve some of the security issues that health care organizations now face, it also creates new concerns for organizations to manage. This massive shift to digitized records makes patient data available to many more individuals within and outside the provider organization and leaves the data more vulnerable to the growing threat of cyber crime."
The pattern of results suggests respondents are not very confident about their organization's security environment, Watkins says. They appear to be most confident about standard agreements with business associates that clearly explain the requirements for data protection, training and awareness programs for all system users and compliance with legal requirements and policies, including privacy laws and statutes, he says.
Watkins notes that the study results suggest providers are nervous about what happens to patient data when it leaves their facilities. While 85% believe they comply with the legal requirements of HIPAA, only 10% are confident that they are able to protect patient information when used by outsourcers and cloud computing providers.
"We've got health care provides adopting EHR faster than we're adopting the security for them," Hadley says. "Part of the problem is figuring out how to secure the information while still making the information available and usable in the way that everyone envisions. One of the things that ultimately will slow down adoption of EHR is if the health care industry can't get a handle on how to keep that information secure."
Roy E. Hadley Jr., JD, Partner, Cloud Computing and Cyber Security Practice, Barnes & Thornburg, Atlanta. Telephone: (404) 264-4036. E-mail: email@example.com.
John L. Watkins, JD, Partner, Cloud Computing and Cyber Security Practice, Barnes & Thornburg, Atlanta. Telephone: (404) 264-4043. E-mail: firstname.lastname@example.org.