A majority of health organizations are under-prepared to protect patient privacy and secure data as new uses for digital health information emerge and access to confidential patient information expands, according to a new report released today by the Health Research Institute at PwC US. Old privacy and security controls no longer suffice to comply with existing privacy laws and patient consent agreements, says PwC. Health organizations need to update practices and adopt a more integrated approach to ensure that patient information doesn’t fall into the wrong hands.
In its report entitled Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground, PwC says that existing privacy and security controls have not kept pace with new realities in healthcare: increased access to information in electronic health records; greater data collaboration with external partners and business associations; the emergence of new uses for digital health information to improve the quality and cost of care; and the rise of social media and mobile technology to better and more efficiently manage patient health.
A recent nationwide PwC Health Research Institute survey of 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies found:
— Theft accounted for 66 percent of total reported health data breaches
over the past two years. Also, medical identity theft appears to be on
the rise. Over one third (36 percent) of provider organizations
(hospitals and physician groups) confirmed that they have experienced
patients seeking services using somebody else’s name and identification.
— More than half (55 percent) of health organizations surveyed have not
addressed privacy and security issues associated with the use of mobile
devices, and less than one-quarter have addressed privacy and security
implications of social media.
— More than half (54 percent) of health organizations surveyed reported at
least one issue with information privacy and security over the past two
— The most frequently reported issue among providers was the improper use
of protected health information by an internal party. Over the past two
years, 40 percent of providers reported an incident of improper internal
use of protected health information.
— The most frequently reported issue among health insurers and
pharmaceutical and life science companies was the improper transfer of
files containing personal health information to unauthorized parties.
Over the past two years, one in five (21 percent) pharmaceutical and
life sciences companies and one in four (25 percent) of health insurers
improperly transferred files containing protected health information.
“Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur,” said James Koenig, director and co-leader, Health Information Privacy and Security Practice, PwC. “Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error – loss of a computer or device, lack of knowledge or unintended unauthorized disclosure.”