Health Care Organizations Underprepared to Secure Patient Data: PwC

A new report by PwC calls on health care organizations to adopt the security technology now being developed to avoid data breaches.

Consulting firm PwC's Health Research Institute has come out with a report revealing that health organizations are underprepared to secure patient medical information.

The report, "Old Data Learns New Tricks: Managing Patient Privacy and Security on a New Data-Sharing Playground," shows that despite advances in electronic health records (EHRs) software and security technology, health care organizations have yet to adopt privacy measures on a large scale.

For the survey, PwC interviewed 600 executives from hospitals, physician practices, health insurers and pharmaceutical and life science companies.

Only 58 percent of providers and 41 percent of health insurers train employees on privacy measures for EHRs, PwC reports.

Health care companies are underprepared because they've underinvested in IT and focused on legal and regulatory compliance under HIPAA instead, according to James Koenig, director and co-leader of the health information privacy and security practice at PwC.

"Now that there are law changes [and] IT changes to stimulate electronic health records, now's the time for these organizations to address and to mature their environment," Koenig told eWEEK.

EHRs are both an enabler of IT progress but a risk concern as far as data privacy, according to Koenig.

"By maintaining the larger databases, you increase the amount of information that could be at risk by pursuing these paths, and by maintaining privacy and security, the rewards of increase patient care and quality and cost-effectiveness are enabled because this data hasn't been available or aggregated for analysis previously," he explained.

Despite health care organizations being underprepared, advances in access controls, encryption and monitoring related to EHR application development are happening faster than in other industries, Koenig said.

"Surprisingly, an industry that had been in many cases behind the curve in terms of investment in this area, now, because of the law and new uses and sharing of information, some of the latest innovations are coming from health care as opposed to financial services-so it's an interesting change," he said.

PwC announced the results of its survey on Sept. 22.

A big security issue for respondents was insiders improperly accessing health data. Over the last two years, 40 percent of providers surveyed reported a breach due to insider snooping or sharing of information. These incidents can include chatting in an elevator or through social media.

In addition, health care organizations are grappling with how to handle security on mobile devices such as iPads, with 55 percent of respondents of health care firms not formulating plans for security on mobile devices.

PwC also revealed that 74 percent of health care organizations plan to share patient data externally for studies and development of new products, but only 17 percent of providers, 19 percent of payers and 22 percent of pharmaceutical and life sciences companies have developed a process to allow patients to consent to the disclosure.

Data is first used to treat patients, but then providers, payers and other vendors may use the data for analysis, clinical studies and compliance monitoring.

"Health care organizations are using this new data and technology and sharing with new third-party vendors and with others to improve quality of care, yet there's a need to continue to invest in privacy and security," Koenig said.

Among breaches reported, 75 percent have been electronic and 25 percent paper-based, he noted.

Under the HITECH Act, organizations must notify the Department of Health and Human Services (HHS), affected individuals and the media of breaches affecting more than 500 people. More than 288 breaches have been reported to the Office for Civil Rights within HHS since September 2009.