Putting the fragments together to ensure data security

While the total economic impact of data breaches in American hospitals has reached an astounding $6 billion annually, many health care organizations still are failing to put into place protections to prevent or fix these data breaches.

This information is affirmed in a new study from the Deloitte Center for Health Solutions, which predicts that in the long run, costs related to privacy and security are going to increase even more--particularly due to the fragmentation of the American health system.

The report, "Privacy and Security in Health Care: A Fresh Look," notes that privacy and security regulations generally have focused on health care organizations' internal security processes. However, in today's health care arena, "culpability has been expanded to downstream entities," it says.

Think about this premise: as hospitals and health care organizations move toward an entirely automated healthcare system featuring electronic health records (EHRs), clinical data warehousing, and increased transparency, more data moving through and outside an organization are at risk. This is creating a new urgency to review data privacy and security policies and operations.

New hot privacy and security spots have been emerging such as:

  • Covered entities vs. business associates: Gaps in current legislation have enabled data breaches, the report notes. Under HIPAA, the Department of Health and Human Service issued privacy and security rules for guiding personal health information. These rules define "technical and non-technical safeguards" that covered entities (CEs) would implement during the handling of protected electronic health information. However, the provisions do not extend to business associates of CEs--or to the individuals within CEs--which could cause problems with the exchange of personal health information.
  • Identity theft: Startlingly, about a third of data breaches result in medical identity theft. While the Federal Trade Commission began enforcing the "Red Flags Rule" to prevent identity theft--and protects sensitive information--healthcare industry compliance with this regulation has not been high, due to lack of awareness and understanding of the rules.

To address these issues and others, the Deloitte study suggests that healthcare organizations take a revised tack to meet challenges. This includes assessing preparedness in three areas:

  • Risk management to help identify and assess data security risks--to produce security controls to stop or avoid risk--to allocate security resources to improve data protection.
  • Security and privacy programs to create policies, procedures, and training needs to stop or avoid risk across an organization.
  • Compliance to verify a healthcare organization's conformance to its policies and standards. This can help reduce organizational risk, boost customer trust and confidence in protecting personal health information.

Overall, these strategies can start to provide new and effective tools for protecting personal health data in the brave, evolving--and fragmented world--of healthcare delivery. - Jan