Thursday, September 29, 2011

Some Useful Thoughts About Managing The Privacy and Security of Health Information. It Seems It Is The Insiders Who Should Be Blamed!

The following reports of a PwC Report appeared a few days ago.
There is coverage here:

Theft of Digital Health Data More Often Inside Job, Report Finds

September 22, 2011, 12:16 AM EDT
By Carol Eisenberg
Sept. 22 (Bloomberg) -- Electronic health data breaches are increasingly carried out by “knowledgeable insiders” bent on identity theft or access to prescription drugs, according to a report from PricewaterhouseCoopers LLP.
More than 11 million consumers have had medical data stolen or inappropriately disclosed since September 2009, and the privacy breaches are expected to rise as more health information is put online, according to the report released today by the New York-based accounting firm’s health research institute. The most frequently reported issue was the improper use of protected information by an “internal party,” the study found.
The report underscores the need to strengthen privacy and security controls as health records are more frequently stored online and accessed by portable devices, said James Koenig, co- lead of PwC’s Health Information Privacy and Security Practice. Consumer concerns that personal medical information may be vulnerable to disclosure are likely to increase as the Obama administration spurs the adoption of digital records.
“Going forward, there needs to be the vigilant focus not just on improvements to health care, but also making sure privacy and security keep pace so that confidence in these new uses can be enabled,” Koenig said in an interview.
Survey of Executives
The report analyzed data from a survey of 600 executives from U.S. hospitals and physician groups, insurers and pharmaceutical and life sciences companies. More than half of the organizations reported a privacy or security-related issue related to health data over the last two years, Koenig said.
Theft accounted for 66 percent of publicly reported breaches, including stolen laptops, smart phones and other electronic devices, misuse of patient data to submit fraudulent claims and people seeking care in someone else’s name.
More details are here:
There is also some coverage here:

Health industry lacks patient data safeguards: poll

Thu, Sep 22 2011
By Alina Selyukh
(Reuters) - New technologies are flooding into the healthcare world, but the industry is not adequately prepared to protect patients from data breaches, according to a report published on Thursday.
A vast majority of hospitals, doctors, pharmacies and insurers are eager to adapt to increasingly digital patient data. However, less than half are addressing implications for privacy and security, a survey of healthcare industry executives by PricewaterhouseCoopers LLP found.
PwC's Health Research Institute interviewed 600 executives in the spring of this year and also found that less than half of their companies have addressed issues related to the use of mobile devices. Less than a quarter have addressed implications of social media.
"The health IT and new uses of health information are changing quickly and the privacy and security sometimes may not be moving in step," said Jim Koenig, a PwC director who is among the contributors to the report.
More here:
There is very comprehensive coverage here with a link to the actual report.

PwC: Health industry under-prepared to protect privacy

September 22, 2011 | Mike Miliard, Managing Editor
NEW YORK – Most health organizations are under-prepared to protect patient privacy and secure personal health information as new uses for digital health data emerge and access to confidential patient information expands, according to a new report from PwC's Health Research Institute.
Old privacy and security controls no longer suffice to comply with existing privacy laws and patient consent agreements, say to PwC officials – who emphasize that health organizations need to update practices and adopt a more integrated approach to ensure that patient information doesn't fall into the wrong hands.
The report, titled "Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground," shows how existing privacy and security controls have not kept pace with new realities in healthcare: increased access to information in electronic health records; greater data collaboration with external partners and business associations; the emergence of new uses for digital health information to improve the quality and cost of care; and the rise of social media and mobile technology to better and more efficiently manage patient health.
A recent nationwide PwC Health Research Institute survey of 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies found:
  • Theft accounted for 66 percent of total reported health data breaches over the past two years. Also, medical identity theft appears to be on the rise. Over one third (36 percent) of provider organizations (hospitals and physician groups) confirmed that they have experienced patients seeking services using somebody else's name and identification.
  • More than half (55 percent) of health organizations surveyed have not addressed privacy and security issues associated with the use of mobile devices, and less than one-quarter have addressed privacy and security implications of social media.
  • More than half (54 percent) of health organizations surveyed reported at least one issue with information privacy and security over the past two years.
  • The most frequently reported issue among providers was the improper use of protected health information by an internal party. Over the past two years, 40 percent of providers reported an incident of improper internal use of protected health information.
  • The most frequently reported issue among health insurers and pharmaceutical and life science companies was the improper transfer of files containing personal health information to unauthorized parties. Over the past two years, one in five (21 percent) pharmaceutical and life sciences companies and one in four (25 percent) of health insurers improperly transferred files containing protected health information.
"Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur," said James Koenig, director and co-leader, Health Information Privacy and Security Practice, PwC. "Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error - loss of a computer or device, lack of knowledge or unintended unauthorized disclosure."
.....
A full copy of PwC's report can be found here .(After registration)
Much more here:
The full report - or at least the summaries linked here are important reading.
Just as you though it was all easy we have a slightly contrarian view put here:

Jay Cline: Are medical-data breaches overreported?

Healthcare organizations should make better use of the 'significant risk of harm' exemption in the federal law

Jay Cline
September 20, 2011 (Computerworld)
The Eli Lilly employee whose programming glitch exposed the e-mail addresses of almost 700 Prozac users to each other didn't know he was making history. Since that day in June 2001, hundreds more US healthcare organizations have reported medical-data breaches. As a result of those reports, federal and state health agencies have dealt out millions of dollars in fines, and the U.S. Department of Health and Human Services has launched a round of 150 audits. Meanwhile, a cottage industry of breach-notification service providers has arisen, and healthcare organizations can't find enough privacy talent to batten down the hatches.
But is this obsessiveness over health-data privacy warranted? Do medical-data breaches harm people, and does notifying them of the incidents help them?
The answer to these questions might seem like a resounding yes. The thought of our medical records ending up on websites or in criminals' hands makes us nervous. We want to know about these incidents if they happen, even though few of us take any action as a result of being notified.
This large and growing allocation of healthcare resources in an era of cost containment, however, deserves a closer look.
The phenomenon of data-breach notification started in California the same year as the Eli Lilly incident. State legislators Steve Peace and Jim Simitian drafted what became SB 1386, the first data-breach notification act in the world. Passed in 2002, this law remained an outlier until the infamous ChoicePoint breach of 2005. Nearly every U.S. state passed a breach-notification law in its aftermath, and many other countries are following suit. Most of these laws notably did not include personal medical records in their scope of concern.
That all changed in 2009. In April of that year, Congress passed the HITECH Act as part of the economic-stimulus package. Included in that act were instructions for the U.S. Department of Health and Human Services (HHS) to issue a series of new rules about improving the protection of personal health information. In August 2009, HHS released its first installment -- an "interim final rule" on notification of health-data breaches. By the end of 2011, HHS is expected to divulge its "final final rule" on medical-data breach notification.
The landmark feature of the interim final rule is a mandate to immediately notify HHS of any data breaches affecting 500 or more people. The rule also requires an annual notification to the department of incidents affecting fewer people. The department posts the notices for the large breaches on its infamous "wall of shame."
Lots more here:
Jay Cline does go on to propose a sensible framework for assessment of health information breaches but I have to say that I do think at the very least those whose identifiable information leaks out or is exposed are entitled to know about it. After that Jay is right that a ‘horses for courses’ approach makes sense looking at the risk, possible damage and so on.
Better still might be to look hard at the PwC report and see where improvements can be made. You can be sure once the national PCEHR is commenced the pressure for breach notification will skyrocket!
David.

No comments: