Report: Securing protected health information 'not always a top priority'
A comprehensive new report released this week, outlines the fragile state of patient information security, offering up a five-step methodology to help healthcare CIOs and CEOs determine the right level of investment in technology, processes and policy to better protect patient information.
In the report, three organizations--the American National Standards Institute (ANSI), The Santa Fe Group and the Internet Security Alliance--posit that while the healthcare system is trying to keep in step with today's dramatic technology shift--pushed along by federal and state carrot-and-stick mandates and incentives to adopt electronic health records--the "safeguarding of protected health information [PHI] is not always given top priority." The group also suggests that with the increase in nefarious intent, coupled with the "rewards" of stealing PHI, the situation is only going to get worse.
The claims are not without merit. A study released last month by the Ponemon Institute found that 91 percent of small provider organizations surveyed reported having had at least one data breach in the past year. According to statistics recently compiled by research company Melamedia, from January to February alone, breaches affected 19,051,267 patients.
What's more, such data breaches are not without consequences. For instance, the number of class-action lawsuits against Californian health system Sutter Health has jumped to 11, the result of a data breach that affected 4.2 million patients. And while the vast majority of patients see the value of EHRs, patients still are very much concerned about the security of their health information.
Still, the prevalence--and consumer fear--of at-risk PHI has not empowered CIOs with bigger IT security budgets. As reported in the ANSI study, although 60 percent of respondents in the November 2011 Healthcare Information and Management Systems Society's (HIMSS) security survey indicated that their IT budged dedicated to information security had increased in the past year, 53 percent said those increases only amounted to 3 percent or less of their total IT budget.