HIMSS Analytics (short for Healthcare Information and Management Systems Society); a “think-tank” for the healthcare management world has just released the 2008 HIMSS Analytics Report: Security of Patient Data.
This report examines the security of patient personal identifying information (PII) and protected health information (PHI). In the current data breach crazy world, this is a timely report which tries to get beneath the surface of the needs of health professionals to balance quick access to secure patient health records and the need to protect not only patient privacy but prevent access to information which could lead to identity theft. " " " />Press release.
In discussing PHI and PII it is important to first establish a fact. Unauthorized access to PII no matter where it may be found could lead to identity theft. Unauthorized access to PHI alone, will not lead to financial identity theft in most cases. It could be used to help a fraudster identify a possible victim by placing the consumer/victim in a particular location and may give the fraudster a hint as to vulnerabilities of the consumer. It is also unlikely to result in medical identity theft. In terms of useful information needed to perpetrate identity theft, the date of birth and Social Security Number are far more valuable than PHI. A consumer may feel that their privacy has been violated when PHI has been exposed but unless PII is included in the breached data, the patient is only marginally more likely to be exposed to identity theft than other non-breached consumers.
Health care organizations or as HIPAA labels these “covered entities,” must still treat all the personal information of their clients/patients the same. Other privacy obligations affecting the health care world are mandated from Sarbanes Oxley and Gramm-Leach-Bliley. In some cases, the PCI Data Security standard may also apply. Compliance with these three laws and the PCI Standard obligates a health care entity to take formal steps to implement reasonable privacy and security policies and procedures.
The HIMSS report may reflect a gap between reasonable policies and procedures and practice. Most healthcare facilities responding to HIMSS “indicated that their organization has a security policy in place. (p .4 of the report).” The study continues that these policies are reviewed regularly and that “85 percent of respondents indicating that their policy was updated on an annual basis, if not more often. (p. 4 of the report).”
Yet, the report also indicates that employees are considered the greatest threat which could cause a data breach of patient information, (p. 6, p. 15 of the report). The respondents indicated that even though part of new hire training involved security related matters, (95% of respondents) only 64% of the respondents require some form of on-going security training refreshing (p. 8). On the surface, it is fair to conclude that health care facilities do not place much faith in their security training. This is an area which could be addressed by implementing security mindedness to all areas of training and to every separate task performed in the facility. Or as quoted by Brian Lapidus, Kroll Fraud Solutions Chief Operating Officer and survey sponsor in the press release:
"There's a dangerous assumption in the healthcare industry that education leads to policy implementation and change," said Mr. Lapidus of Kroll." Best practices in data security cannot be achieved by employee training alone. Organizations must make data security a part of their DNA, reflected in every aspect of business operations."
Maybe some of this detachment between policy and practice identified in the report can be traced to healthcare organizations focusing much of their security effort and resources on IT related security at the expense of employee training. Ninety seven percent (97%) of the respondents have implemented “Technical IT security” while only 70% have implemented formal education courses. This disparity can be compared and contrasted to the actual reporting of how breaches occurred amongst the respondents. The HIMSS results reveal that the health care management concern regarding employees is justified, with employee originated “unauthorized use of information” leading to 62% of all breaches followed by 32% of respondents blaming “wrongful access of paper-based patient information”, (pg. 18). In addition, in response to the question “who was the perpetrator of the security breach?” 80% identified a current employee. While improper release of PII or PHI may have originated with an employee 62% of the time only some of these occasions are likely the result of a blatant attempt to steal information and many of these are probably unintentional consequences of the busy and often demanding need to react with haste in a health care setting.
Based upon this research, healthcare facilities and employers seem to understand what causes data breaches however address these concerns ineffectively. A concentration on data security from the IT perspective is not addressing the fact that employees with authorized access to information, and causing breaches whether intentionally or unintentionally is the most significant threat to patient privacy and prevention of identity theft. Better background screening and higher thresholds for new hires may address some of this problem. The effort to implement a national health record access system may or may not solve this problem; however, such a solution may or may not make theft of information easier. Healthcare management is left with the daunting task of figuring out what change is needed to that will prevent patient PII and PHI from being breached yet keep it accessible for those health care professionals who need it. Based upon the HIMSS results, the policies and procedures at many of America’s health care facilities need to be re-evaluated with a mind to stimulating a culture of data security. A copy of the report can be downloaded " " " />here.