Protected health information (PHI) data breaches are growing in frequency and magnitude as the healthcare industry moves to adopt electronic health records (EHR), say a group of standards and security organizations. The healthcare industry must take action to better defend PHI if it wants to keep the public's trust, they say.
The Identity Theft Prevention and Identity Management Standards Panel (IDSP) of the American National Standards Institute (ANSI), in partnership with The Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance (ISA), on Monday unveiled a report, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, at a press conference kicked off by White House Cybersecurity Coordinator Howard A. Schmidt. The report is intended to help CIOs, CSOs and IT security, privacy and compliance staff create a compelling business case for enhanced security to present to business executives.
"When it comes to cybersecurity, we all have a role whether we're a consumer, the executive of a company or a political leader," Schmidt says. "By working together, we can make sure we make the improvements that ensure the balance between privacy rights and security. While we can't solve all the problems in the world when it comes to cybersecurity and privacy, we can affect those parts we're responsible for."
Privacy Protections Critical to Trust
Joe Bhatia, president and CEO of ANSI, added, "Privacy protections are absolutely critical to maintaining consumer trust in this information age. In the U.S., the healthcare delivery system is founded upon trust. This trust, as we all know, is now being severely tested."
According to the 67-page report, which involved a cross-section of more than 100 healthcare industry leaders from more than 70 organizations, nearly 39.5 million EHRs were breached between 2005 and 2008. In addition, within the past two years, the health information privacy of nearly 18 million Americans-a number roughly comparable to the population of the state of Florida-was breached electronically.
The data points don't end there. Between September 2011 and November 2011, a government benefits program suffered the theft of EHRs of 4.9 million military personnel, the health information of 4 million patients of a reputable West Coast healthcare system were stolen electronically and a major academic medical center inadvertently disclosed the EHRs of 20,000 of its patients. In November of last year, Ponemon Institute completed a survey of 72 provider organizations and found that 96 percent of respondents reported at least one data breach in the past 24 months. On average, Ponemon Institute found that health organizations have experienced four data breach incidents over the past two years.
"Healthcare is one of the most-breached industries," says Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "Healthcare providers and supporting organizations don't currently have sufficient security and privacy budgets, including adequate processes and resources, to protect sensitive patient data."
Sign up for Computerworld eNewsletters.