Healthcare organizations and other industry players are falling short in protecting the privacy and security of patient information, according to a new report from consulting firm PwC.
A survey of 600 executives from hospitals, physician groups, health insurance companies, and pharmaceutical and life sciences companies found that theft accounted for 66 percent of reported health data breaches in the past two years. Some of this is medical identity theft, the report said. Thirty-six percent of surveyed hospitals and physician groups said patients had sought services using somebody else's name and identification.
The rapid rise of mobile devices also has flummoxed many healthcare organizations. Fifty-five percent of those surveyed said they had not addressed privacy and security issues associated with mobile technology. Under a quarter of respondents had come to grips with the privacy and security implications of social media.
More than half of healthcare organizations said they'd had at least one issue with information security and privacy since 2009. The most frequently observed issue--reported by 40 percent of providers--was the improper use of protected health information by someone who worked in the organization.
PwC found that electronic data breaches occur three times as often as paper-based information breaches and affect 25 times more people when they occur. Most electronic breaches, however, are not related to computer hacking, but to insider theft or human errors, such as the loss of a computer device.
The new HIPAA security provisions expand the coverage of business associates of providers. But only 36 percent of health organizations perform a pre-contract assessment of their business associates such as business partners and vendors, and just 26 percent conduct post-contract compliance assessments, says PwC.
The report finds that data breaches at business associates--such as the one involving Stanford University Medical Center--account for about 20 percent of the total and have affected 6 million individuals.
Also of note: While three-quarters of healthcare organizations said they either will seek or intend to seek "secondary uses" for health data, less than half of those entities address related privacy and security issues. "Top challenges for the industry related to the use of secondary data were establishing information security functions, appropriately encrypting data, and creating multiple levels of separation between the data and the end consumer," the report noted.