Nearly three-quarters of health care firms reported data breaches in the last year, with snooping staffers mostly to blame, according to a survey by data analytics vendor Veriphyr.
A new study by
Veriphyr,
a software-as-a-service data analytics application provider, found that 71
percent of health care organizations have suffered at least one data breach
within the past year.
Veriphyr offers data-analytics software that allows medical
practices to view logs showing who has accessed patients' medical
records.
Insider peeks were responsible for most of the breaches, the company
reports. Of the breaches reported in the survey, 35 percent involved
snooping into medical records of co-workers, and 27 percent involved
viewing records of friends and relatives.
Of the 90 health care IT managers Veriphyr surveyed in its Web-based
poll, 52 percent believed their health care facility lacked adequate
tools to
monitor inappropriate access to personal health information.
Veriphyr released its report, entitled "Veriphyr's 2011 Survey of
Patient Privacy Breaches," on Aug. 31. It includes results of its
survey of
compliance and privacy officers at mid- to large-size hospitals and
health care service providers.
Under
HIPAA
rules, hospitals must have at least one compliance officer, or privacy officer, to monitor proper access to records.
Of the incidents reported, 25 percent involved loss or theft of
physician records and 20 percent were loss or theft of equipment
holding
personal health data.
The study found that 79 percent were "somewhat concerned" or "very
concerned" that existing processes do not
enable prompt detection of health data breaches. Still, 80 percent of
those surveyed believed that top management would act on their
recommendations to comply
with security requirements and 74 percent were satisfied with their
organization's level of IT compliance and security.
Meanwhile, 52 percent of respondents were dissatisfied with their
organization's IT tools to track inappropriate access to sensitive
personal health information. The more data breaches respondents
reported, the more they were dissatisfied with their company's IT
tools.
The results of the survey show that a narrow line exists between
what is a medical necessity to access the information and what is
simply
snooping out of curiosity.
"The issue in health care is that information about you in the
hospital needs to be available to anyone who will give you care," Alan
Norquist, Veriphyr's CEO, told eWEEK. "Access to health care
information is available broadly."
Physician office staff may be recruited by criminals to access
information or may seek information about movie stars or former
spouses, Norquist
said.
Without an actual person guarding a room of paper records,
electronic data may be more challenging to monitor, Norquist suggested.
"In the old paper days, it would have been flagged by the person in the
health records room," he said.
Data breaches have
affected
more than 10 million patients since 2009,
according to the Office for Civil
Rights in the U.S. Department of Health and Human Services. Recent
incidents have included lost hardware such as thumb drives or laptops
containing personal
health information.
At Henry Ford Health System in Detroit, a lost flash drive affected
2,777 patients. In a similar case at the nonprofit Family Planning
Council in Philadelphia, a
flash
drive stolen in December 2010 stored data on 70,000 patients.
Email
Print
