From The Editor | February 3, 2011

A PHI Security Wake Up Call

kcongdon_hs-web

By Ken Congdon, editor in chief, Health IT Outcomes

You'd think with all the federal regulations aimed at ensuring PHI (protected health information) remains private, healthcare facilities would have fairly bulletproof systems in place for securing patient records, right? Well, not according to a new survey released by Ponemon Research. The survey, sponsored by Informatica and titled Health Data At Risk in Development: A Call For Data Masking, reveals that more than half of healthcare companies do not adequately protect critical health data — placing consumers in serious danger of having their private health information compromised.

Key Findings
The research findings were based on a survey of more than 450 IT professionals in U.S. healthcare organizations. Key data points revealed by the survey include:

  • Despite the sensitivity of PHI, 51% of those surveyed do not protect patient data used in software development and testing.
  • Losses can easily go undetected, with 78% of respondents answering that they are undecided as to whether their organization could even detect the theft or accidental loss of real data during software development or testing.
  • Data breaches are commonplace, with 38% of respondents admitting that they had a breach involving data in a development or test environment and another 12% saying they were unsure if they have had a breach or not.
  • Consequences are high, with 59% of those with a history of data breaches experiencing disruption of operations; 56% facing regulatory action, and 36% suffering a damaged reputation.
  • Goals do not align with actions, with 74% of respondents saying that meeting privacy and data protection requirements is important and only 35% saying their organization is successful in achieving this goal.
  • Cloud computing and outsourcing are perceived to increase the risk, with 40% of respondents admitting they don't outsource because of security concerns and only 19% stating that they are confident in data security in a cloud environment.

Tightening Security
The results of the Ponemon survey are frightening. Even if you take these statistics with a grain of salt (considering the survey was commissioned by a data integration and security vendor), they certainly indicate a clear need for an increased focus on protecting patient data. Ponemon recommends the following immediate actions to tighten your PHI security processes:

  • Centralized executive oversight — create a single point of executive-level responsibility coupled with policies and procedures for safeguarding your organization's real patient data in non-production environments.
  • Invest in key technologies including tools to "transform or mask sensitive or confidential data without diminishing the richness of the data necessary for successful testing and development."

While many healthcare facilities will also need to employ more strenuous security measures, these two actions can help improve the security of your data in the short term and protect you from falling victim to data breaches and regulatory fines.

Ken Congdon is Editor In Chief of Health IT Outcomes. He can be reached at ken.congdon@jamesonpublishing.com.