In a discussion about electronic health records (EHRs) a couple weeks ago, one of the Human Resource team members at a prospective client said, "I don't believe it's possible to secure electronic health data. It's always an accident waiting to happen."
There is some truth to that. More and more, our Personal Health Information (PHI) is in electronic formats that allow it to be exchanged with professionals and organizations throughout the health care continuum. It is highly unlikely that each contact point has the protections to wrap that data up tightly, away from those who would exploit it.
Of course, PHI is among the richest examples of personal data, often with all the key ingredients prized by identify thieves: social security number, birthday, phone numbers, address, and even credit card information. This should give health care organizations considerable pause.
Then consider that, while paper charts contain the same information, electronic files often aggregate hundreds of thousands or even millions of records, information treasures troves for someone really focused on acquiring, mining and making use of the data.
Which is what makes a new health data security survey commissioned by Kroll Fraud Solutions and conducted by HIMSS Analytics, so provocative. As they had in 2008, HIMSS Analytics found that most provider organizations meticulously comply with data security rules and standards. But they're overly confident about the security that compliance actually conveys. Worse, many remain unaware, until confronted by an event, of the devastating implications of even a minor breach.
And the threat is intensifying as the market and technology evolve. In 2010, 19 percent of organizations reported a breach, half-again higher than the 13 percent in 2008. Apparently, both the complexity of the environment and the interest in the data are growing. Security may be diminishing as a result.
And breaches can be hugely costly. A Poneman Institute study found an average cost of $6.75 million for organizational data breaches. This figure is not limited to incidents with malicious origins or even harmful consequences. In January 2009, the Department of Veterans Affairs agreed to pay $20 million to veterans who could show they were hurt when, in 2006, a VA data analyst lost a laptop containing information on 26.5 million patients, nearly every living veteran. The laptop was eventually recovered without apparent data compromise. The VA is now struggling with a new, serious health data breach.
Nor is the impact likely to be financial alone. The larger cost may simply be in the loss of patient confidence. After all, if an organization can't competently manage my data, do I want to hand over management of my family's health?
Perhaps the HIMSS Analytics' study's most important and penetrating finding is that "health care organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures." Nearly 9 in 10 survey respondents said they have policies in place to monitor access to and sharing of health care information. But more than four-fifths of breaches occur in more mundane ways: e.g., lost/stolen laptops, improper document disposal, stolen tapes. In other words, the holes can't be addressed by isolated approaches.
Security is a process, not a product. This means that certification of PHI security must be larger than merely plugging the security gaps in information technology, and must extend to the ways that people access and use information and the information technology.
It is clear that the answers here involve making heath data security an enterprise-wide responsibility, creating highly aware environments resistant to breach in even the most seemingly insignificant interactions. That will demand a significant cultural shift, critically necessary but, as this survey shows, difficult for many organizations' leaders to wrap their heads around.