Personal health information (PHI) is among the most sensitive and highly regulated data that an organization can produce and collect. Still, that doesn't mean healthcare providers are immune to data breaches, as many have felt the damaging effects of these incidents during the past several years.
Unfortunately, according to research recently released by Redspin Resources, neither the Health Insurance Portability and Accountability Act (HIPAA) nor the Health Information Technology for Economic and Clinical Health Act (HITECH) can put an end data breaches on their own. It takes the commitment of healthcare providers to implement robust data security programs.
That's especially true given the industry's widespread movement away from paper records and toward electronic data.
Even before taking office, President Barack Obama championed this migration as a way for the industry to cut costs, modernize its use of technology and ultimately improve patient care. And the incentive programs offered under the American Recovery and Reinvestment Act (ARRA) of 2009, as well as by the Centers for Medicare and Medicaid Services (CMS), have sparked providers across the country to deploy electronic health records (EHRs) and information sharing systems.
Information security is the Achilles heel of [electronic personal health information]," Redspin's report stated. "Without further protective measures, it could derail widespread implementation and adoption of electronic health records."
Redspin analyzed all data incidents reported to the U.S. Department of Health and Human Services (HHS), which totaled 385 at the time of the report. Among those breaches, more than 19 million patient records had been exposed.
In 2011, the average number of records lost during a breach was nearly 50,000, which was about 80 percent more than the average incident that occurred the previous year.
Among the biggest problems for providers is the value of PHI to cybercriminals. Stealing, misusing or selling confidential information has always been extremely lucrative, and, for that reason, fraudsters will continue to target it through cyberattacks and network intrusions.
According to Redspin's whitepaper, healthcare organizations must also view PHI in this light in order to secure it effectively.
"If the data is worth that much to criminals, then it should be worth even more to protect," the report stated. "The cost of a single, large-scale breach can be devastating to healthcare companies, resulting in organizational disruption, incident response and brand damage, as well as unplanned expenses ranging from patient and public communications, PR, legal fees, civil penalties and class-action lawsuit settlements."
But now is the time for healthcare organizations to rethink and re-energize their data security programs, especially considering the HHS' enforcement division, the Office of Civil Rights (OCR), has already announced plans to crack down on HIPAA compliance. As a result, the OCR will begin conducting more audits of healthcare providers throughout 2012 and the years following.
It's important that healthcare organizations take a proactive approach and prepare today for an audit that could be coming tomorrow. To assist in the matter, Healthcare IT News recently highlighted many steps that providers can follow.
To begin, the report stated, it always helps for an organization to know its compliance status. This will let a company know how much work needs to be done and what requires the most attention. Then it's time to develop HIPAA policies and procedures, compliance oversight teams and data breach response plans.
Finally, according to Healthcare IT News, organizations should conduct risk analysis and assessments to identify trouble spots within their systems, as well as periodic audits to ensure that data security measures are doing their jobs.
Security News from Trend Micro