Thursday, September 23, 2010

Study shows security of medical data improving, still bad

Earlier this year Kroll Fraud Solutions (Kroll) and Healthcare Information and Management Systems Society (HIMSS) released the results of their second biannual study of patient data safety at healthcare providers.

The study noted that there may be no other place in private industry that is as rich a target for identity theft and data fraud as healthcare providers. They can possess just about every type of identifying info on their patients: Social Security numbers, drivers license numbers, insurance policies, religious affiliation, addresses and phone numbers, etc.

According to the study there have been over 110 breaches of personal data from healthcare organizations since January 2008. The breaches have affected over 5 million people. Almost half of the of them involved employees - negligence or loss was the cause slightly more often than malicious employees. The next biggest cause of data breaches was theft, with system hacks, viruses coming in a very distant 3rd.(1)

According to the study most health organizations are taking steps to insure the security of patient data, but hospitals focus on responding to a breach to the detriment of preventing them.(2) But most hospitals are open to change and to getting help to improve their data security. Not only is the cost of a data breach high and getting higher, they don't want their customer/patients harassed or given any other reason to sue them.

Despite ever increasing regulatory requirements, or maybe because of them, the number of data breaches at hospitals in the past 24 months has increased. Part of the problem is the attitude surrounding patient data. It's not that hospitals don't want to protect their patient data, it's that their efforts since HIPAA was first passed have been geared to react to a breach, not prevent it. Until that changes we will continue to have frequent data breaches. Happily, hospitals seem willing to learn how to better protect their patients data. The only question is, how long will it take?

(1) 2010 HIMSS Analytics Report: Security of Patient Data commissioned by Kroll’s Fraud Solutions p3

(2) ibid p5