Most breaches are not the result of hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and human error.
A majority of health organizations are under-prepared to protect patient privacy and secure data as new uses for digital health information emerge and access to confidential patient information expands, according to a new report released today by PricewaterhouseCoopers.
The Health Research Institute at PwC US said that old privacy and security controls no longer suffice to comply with existing privacy laws and patient consent agreements. Health organizations need to update practices and adopt a more integrated approach to ensure that patient information doesn't fall into the wrong hands, PwC says.
In its report titled Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground, PwC says that existing privacy and security controls have not kept pace with new realities in healthcare: increased access to information in electronic health records; greater data collaboration with external partners and business associations; the emergence of new uses for digital health information to improve the quality and cost of care; and the rise of social media and mobile technology to better and more efficiently manage patient health.
A recent nationwide PwC Health Research Institute survey of 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies found:
• Theft accounted for 66 percent of total reported health data breaches over the past two years. Also, medical identity theft appears to be on the rise. Over one third (36 percent) of provider organizations (hospitals and physician groups) confirmed that they have experienced patients seeking services using somebody else's name and identification.
• More than half (55 percent) of health organizations surveyed have not addressed privacy and security issues associated with the use of mobile devices, and less than one-quarter have addressed privacy and security implications of social media.
• More than half (54 percent) of health organizations surveyed reported at least one issue with information privacy and security over the past two years.
• The most frequently reported issue among providers was the improper use of protected health information by an internal party. Over the past two years, 40 percent of providers reported an incident of improper internal use of protected health information.
• The most frequently reported issue among health insurers and pharmaceutical and life science companies was the improper transfer of files containing personal health information to unauthorized parties. Over the past two years, one in five (21 percent) pharmaceutical and life sciences companies and one in four (25 percent) of health insurers improperly transferred files containing protected health information.
"Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur," said James Koenig, director and co-leader, Health Information Privacy and Security Practice, PwC. "Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error – loss of a computer or device, lack of knowledge or unintended unauthorized disclosure."
Cloud Security Reading: The Big Shift to Cloud-based Security
PwC's research found that there is considerable concern for the "knowledgeable insider." On average, improper use of personal health information by an internal party was the leading privacy/security issue experienced by healthcare organizations over the last two years. Because of lack of awareness or training, breaches can result easily and with greater probability from mishandling of paper documents, people talking in the elevator, or comments made via social media channels. In addition, risks of data breaches and the complexity of consent agreements rises when information is shared with business associates, the source of more than half of reported health data breaches affecting more than 11 million people since 2009. PwC's survey found:
• More than half of healthcare organizations allow access to social networking while at work; less than half have a policy covering the use of social media outside of work.
• Less than half (37 percent) of health organizations surveyed incorporate approved uses of mobile devices and social media as part of company privacy training.
• Only 58 percent of providers and 41 percent of health insurers say they include the appropriate use of electronic health records (EHR) as part of employee privacy training.
• Only 36 percent of health organizations perform a pre-contract assessment of their business associates such as business partners and vendors, and just 26 percent conduct post-contract compliance assessments.
Digitized health data is becoming one of the most highly valued assets in the health industry, and, according to PwC, all kinds of organizations are now converging around the shared use of the information to enable new care delivery models such as accountable care organizations, outcomes-based reimbursement and the advance of wellness, preventive and personalized care.
Organizations also are discovering the potential in secondary uses of the information beyond treating patients, such as in clinical studies, post-market surveillance of drugs and the development of new products and services to better understand patient health and behaviors. Yet PwC found that while many organizations are sharing information, the complexity of consent further increases and few organizations have established proper restrictions and consent agreements to control proper access. PwC's research found that:
• Only 17 percent of providers, 19 percent of payers and 22 percent of pharmaceutical/life sciences companies have a process in place to manage patients' consent for how their information can be used.
• Nearly three quarters (74 percent) of healthcare organizations surveyed said they already do or intend to seek secondary uses for health data; however, less than half have addressed or are in the process of addressing related privacy and security issues.
• Sixty-one percent of pharmaceutical and life sciences companies, 40 percent of health insurers and 38 percent or providers currently share information externally. Of those organizations that share data externally, only two in five pharmaceutical and life sciences companies (43 percent) and one in four insurers (25 percent) and providers (26 percent) have identified contractual, policy or legal restrictions on how the data can be used.
"To protect patient trust and their own brand reputation, organizations need to go beyond minimum regulatory requirements and adopt an integrated approach that combines privacy, security and compliance within a culture where all employees see themselves as champions of confidentiality and where privacy is part of the patient experience," said Peter Harries, principal and co-leader, Health Information Privacy and Security Practice, PwC.
A full copy of PwC's report is available for download here, but registration is required.
IT Security Reading: Justifying IT Security: Managing Risk & Keeping Your Network Secure