It has been more than six years since the ChoicePoint data breach thrust the issue of privacy protection into the headlines. Since then hundreds of information security failures have been disclosed and the tools and techniques used to keep sensitive information safe have advanced at a healthy pace. Recent incidents in the healthcare industry, however, strongly suggest that best practices have not been universally adopted.
Looking deeper into this issue with our recent Benchmark Study on Patient Privacy and Data Security, sponsored by ID Experts, we learned something about the extent to which poor security practices are costing healthcare organizations. Here are some of our findings:
·Data breaches cost the healthcare industry $6 billion per year;
·Data breaches cost healthcare organizations an average of $1 million per year;
·Lack of staff and preparation (policies and processes) are blamed for most data breaches; and,
·The HITECH Act has not resulted in significant change to the industry’s approach to data protection.
Looking over some recent data breach incidents in healthcare I see breakdowns in access governance, failure to encrypt, loss or theft of devices, and disposal of unshredded documents. These causes are not unique to the industry, but the magnitude of some events stands out and suggests to me that the industry is struggling with the challenges of migrating from a largely paper-based model to one that is being asked to migrate quickly to a networked, digital format.
As I told Andy Greenberg at Forbes, hospitals have had a tradition of lousy IT that relies on paper billing records and filing without serious privacy controls. Migrating to electronic health records can help to address information protection, but attempting to manage security and protect privacy in a digital world using paper processes is a nightmare.
ID Experts president Rick Kam believes patient trust is being sacrificed at the altar of profit margins. “It is clear that in healthcare organizations today, patient revenue trumps risk management,” Rick told me. “Everyone is chasing electronic health record stimulus dollars and there is no allocation or consideration for protecting patient data."
The good news is that the healthcare industry doesn’t have to start from scratch, but can learn from the experience of the financial services and other consumer-facing industries. The sooner this happens, the better for everyone who is a consumer of healthcare services – and that is everyone.