Gaps in hospital security policies put patient data at risk

The healthcare industry's focus on medical privacy and compliance has fostered a lack of awareness around the frequency, cause and seriousness of patient identity theft, according to the 2008 HIMSS Analytics Report: Security of Patient Data commissioned by Kroll Fraud Solutions, a provider of data protection and identity theft response services.

The report reveals a blind spot that hinders hospital efforts to contain the problem and reduce risk.

“Healthcare facilities are complex environments where information is stored and shared in a number of ways that are critical to patient well-being," said Brian Lapidus, chief operating officer of Kroll. "Until healthcare organizations expand their data security measures to address the threat of data compromise as well as privacy and compliance, patients will continue to be at risk.”

Key report findings include:

• Regulatory loopholes in data management standards allow data breaches to go unreported, preventing an accurate measurement of frequency.
• Only 56 percent of breached organizations notified the patients involved.
• On average, respondents ranked their familiarity level with HIPAA at a 6.53 (on a scale of 1-7, with seven being the highest) and nearly 75 percent claimed a familiarity level of seven.
• The high level of HIPAA familiarity stems from the commencement of audits and the resulting penalties for non-compliant facilities. The issue remains that HIPAA compliance is an insufficient proxy for risk mitigation, according to the report.

Security policies place a greater emphasis on preventing violation of privacy than preventing fraud and malicious intent, according to the report. Of respondents who experienced a fraud-related breach, 62 percent identified the type of the breach as unauthorized use of information, while 32 percent cited wrongful access of paper records. The report authors noted that breaches attributed to malicious intent (i.e., stolen laptops/computers, deliberate acts by employees and cyber attacks) were noticeably absent.

The report also noted that healthcare organizations lack appreciation for the costs of a breach. Only 18 percent of breached organizations surveyed believed there was a negative financial impact, even though the average cost of a breach is estimated to be as high as $197 per compromised record and $6.3 million per incident.

"The number one priority of U.S. healthcare institutions is saving the lives of those in need and rightly so, I might add," said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). "But patient safety extends beyond clinical care. This data tells us that organizations must also broaden their data security and risk management measures to address the threat of patient data breach.”

Among the 13 percent of respondents who revealed that their facility had experienced a data breach:

• 48 percent indicated that "reprimanding the employee" is effective breach response, while 11 percent offer education as a solution.
• 35 percent said that the security policy did not change after the incident.

The same percentage of respondents also said identity theft is three times as likely to happen at a larger facility (more than 100 beds) than a smaller facility (under 100 beds).

The report also indicated that healthcare organizations are focusing their security programs on employee education with nearly all respondents reporting that their organizations educate employees about the importance of maintaining patient data security. Almost 50 percent cited reprimanding or terminating the employee as an element of their organizations' breach response plan and 35 percent of breached organizations surveyed did not change their security policies after the incident.