Addressing The Health Data Breach Epidemic

By Ken Congdon, editor in chief, Health IT Outcomes

Ponemon Institute recently unveiled its Second Annual Benchmark Study On Patient Privacy And Data Security and, unfortunately, the results are confirming one of our worst fears about EHR adoption — much of the industry seems ill prepared to ensure PHI (protected health information) remains secure in electronic format. According to the benchmarking study, which was based on in-depth interviews with 300 representatives from 72 healthcare organizations, the frequency of data breaches increased 32% this year over last, with compromised patient records increasing an average of 46%. Employee negligence was cited as the primary culprit for the increase in health data breaches — an epidemic that costs the U.S. healthcare system an estimated $4.2 billion to $8.1 billion annually.

Budgetary Pressures Block Security Initiatives
While federal government incentives have been effective at accelerating the rate of EHR adoption in the United States, they may be coming at the expense of properly securing electronic health data. For example, 53% of the healthcare organizations surveyed cited lack of budget as their biggest weakness in preventing data breaches. In fact, the EHR/Meaningful Use push has stripped many healthcare IT budgets to the bone, forcing healthcare organizations to cut or postpone other technology projects, including data security initiatives. Financial difficulties have also forced many healthcare providers to downsize their staffs, and rely instead on outside business associates to perform many hospital functions involving patient data (e.g. data migration and archiving, document imaging, etc.). It's clear from the survey that many of these business partners don't have the security procedures in place to preserve the integrity of PHI. In fact, 69% of respondents indicated that they have little or no confidence in the ability of their business associates to secure patient data.

Increased PHI Mobility Drives Cloud Consideration
As mentioned, employee negligence was cited as the primary culprit for the increase in health data breaches. Specifically, 49% of respondents cited lost or stolen mobile computing or data devices (e.g. laptops, tablets, handhelds, flash drives, etc.) as the reason why most health data is compromised. Furthermore, while 80% of the healthcare providers surveyed said they used mobile devices to collect, store, and/or transmit some form of PHI; only half did anything to protect these devices.

It's interesting — data control and security historically has been one of the biggest concerns and objections surrounding cloud-based data applications. However, the growing use of mobile technologies to collect and store PHI now may make security one of the biggest arguments for moving to the cloud. Think about it, if PHI is kept in the cloud instead of physically stored on mobile devices, then little damage can be done to PHI integrity when these devices are lost or stolen.

EHRs & PHI Security Need To Go Hand-In-Hand
The data breach statistics highlighted by the Ponemon study are undoubtedly disappointing. However, they should not serve as a condemnation of EHR technology. EHRs are crucial to cutting healthcare costs and improving patient care in the U.S. The benefits hospitals and practices receive from properly installed EHRs are regularly chronicled on Health IT Outcomes. However, there's no doubt that the PHI security issue needs to be addressed. Healthcare IT professionals need to begin thinking about EHR implementation and PHI security in tandem as opposed to two separate IT initiatives. Furthermore, the federal government needs to incentivize healthcare providers to not only adopt and use EHRs, but also ensure the data is secure. This is food for thought as HHS (The Department of Health and Human Services) works to complete its final rules for Stage 2 Meaningful Use, scheduled to be published in February 2012. In hindsight, PHI security protocols for EHR-related data should have been more stringent in the Stage 1 criteria.

An increased focus on PHI security is one health IT trend I see on the horizon for 2012. However, do you feel the same way? We're currently conducting a Health IT Trends Survey to determine the IT trends will have the most impact on healthcare providers in the coming year. Please take five minutes to complete the survey and have your voice heard. The results of the survey will be published in our special February print edition titled The Top 10 Health IT Trends For 2012. Plus, you could win one of two $100 Amazon gift cards for your insight.