A new report by PwC calls on health care organizations to adopt the security technology now being developed to avoid data breaches.
Consulting firm PwC
Research Institute has come out with a report revealing that health
organizations are underprepared to secure patient medical information.
The report, "Old Data Learns New Tricks: Managing Patient Privacy
and Security on a New Data-Sharing Playground," shows that despite
advances in electronic health records
(EHRs) software and security technology, health care organizations have yet to adopt privacy measures on a large scale.
For the survey, PwC interviewed 600 executives from hospitals,
physician practices, health insurers and pharmaceutical and life
Only 58 percent of providers and 41 percent of health insurers train employees on privacy measures for EHRs, PwC reports.
Health care companies are underprepared because they've
underinvested in IT and focused on legal and regulatory compliance
instead, according to James Koenig, director and co-leader of the health information privacy and security practice at PwC.
"Now that there are law changes [and] IT changes to stimulate
electronic health records, now's the time for these organizations to
address and to mature their environment," Koenig told eWEEK.
EHRs are both an enabler of IT progress but a risk concern as far as data privacy, according to Koenig.
"By maintaining the larger databases, you increase the amount of
information that could be at risk by pursuing these paths, and by
maintaining privacy and security, the rewards of increase patient care
and quality and cost-effectiveness are enabled because this data hasn't
been available or aggregated for analysis previously," he explained.
Despite health care organizations being underprepared, advances in
access controls, encryption and monitoring related to EHR application
development are happening faster than in other industries, Koenig said.
"Surprisingly, an industry that had been in many cases behind the
curve in terms of investment in this area, now, because of the law and
new uses and sharing of information, some of the latest innovations are
coming from health care as opposed to financial services-so it's an
interesting change," he said.
PwC announced the results of its survey on Sept. 22.
A big security issue for respondents was insiders improperly
accessing health data. Over the last two years, 40 percent of providers
surveyed reported a breach due to insider snooping or sharing of
information. These incidents can include chatting in an elevator or
through social media.
In addition, health care organizations are grappling with how to handle security on mobile devices such as iPads
, with 55 percent of respondents of health care firms not formulating plans for security on mobile devices.
PwC also revealed that 74 percent of health care organizations plan
to share patient data externally for studies and development of new
products, but only 17 percent of providers, 19 percent of payers and 22
percent of pharmaceutical and life sciences companies have developed a
process to allow patients to consent to the disclosure.
Data is first used to treat patients, but then providers, payers and
other vendors may use the data for analysis, clinical studies and
"Health care organizations are using this new data and technology
and sharing with new third-party vendors and with others to improve
quality of care, yet there's a need to continue to invest in privacy
and security," Koenig said.
Among breaches reported, 75 percent have been electronic and 25 percent paper-based, he noted.
Under the HITECH Act, organizations must notify the Department of Health and Human Services
(HHS), affected individuals and the media of breaches affecting more
than 500 people. More than 288 breaches have been reported to the
Office for Civil Rights within HHS since September 2009.