In today’s installment, we gaze into the crystal ball to see what 2011 might have in store for us:
What are the top security and privacy issues facing the healthcare industry in 2011? A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach, and governance were asked to weigh in with their forecasts for 2011. These experts suggest that as health information exchanges take form, millions of patient records—soon to be available as digital files—will lead to potential unauthorized access, violation of new data breach laws and, more importantly, exposure to the threat of medical and financial identity theft.
These predictions are supported by the recent Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security, published November 2010, which found that data breaches of patient information cost the healthcare industry $6 billionannually; protecting patient data is a low priority for hospitals; and the healthcare industry lags behind the recently enacted HITECH laws.
The top predictions for 2011 include:
- Health information exchanges, many of which will be launched by inexperienced and understaffed organizations, will force more attention on security and privacy;
- Increased fines and regulatory action by State Attorneys General and regulatory agencies;
- Data breaches and associated costs will increase, as penalties for information security negligence are acted on;
- Hospital governing-boards will exert their power to manage data breach risks in order to increase accountability and fiduciary responsibility;
- A significant “data spill” is inevitable and will bring national attention to the issue;
- Heightened patient awareness and concern over the security of their private medical data;
- The finalization of data breach notification rules by the Department of Health and Human Services could remove the controversial “harm threshold” provision that determines whether notification is required when an incident occurs. If removed, this will create a risk of over notification and desensitization of patients. [Note from Dissent: it will create a risk of entities being embarrassed and patients leaving. I doubt if any patient would truly ignore a letter that provides sufficient details for them to determine whether they need to take action to protect their medical privacy.]
Industry-Wide Experts Share Their Opinions and Insight
Dr. Larry Ponemon, chairman and founder, Ponemon Institute; research experts in privacy, information security policy and information management
“Endemic failure to keep pace with best practices and advancing technology has resulted in antiquated data security, governance, policy plaguing in the healthcare industry. Millions of patients are at risk for medical and financial identity fraud due to inadequate information security. Information security in the healthcare industry is at the fulcrum of economic, technological, and regulatory influence and, to date, it has not demonstrated an ability to adapt to meet the resulting challenges—but it must. The reputation and well-being of those organizations upon which we rely to practice the healing arts depends on it.”
Dr. Deborah Peel, M.D., practicing physician and founder of Patient Privacy Rights; the nation’s health privacy watchdog
“2011 will be the year that Americans recognize they can’t control personal health information in health IT systems and data exchanges. Will 2011 be the year that data security and privacy are the top of the nation’s agenda? I hope so. The right to privacy is the essential right of individuals in vibrant Democracies. If we don’t do it right in healthcare, we won’t have any privacy in the Digital Age.”
Cliff Baker, managing partner for Meditology, a healthcare IT risk management and deployment services firm
“In 2011, we can expect that the Department of Health and Human Services Office for Civil Rights will be gearing up its proactive audits. Where does this leave OCR audits in 2011? They’re probably directed at those organizations that have breaches attributable to known and published high-risk areas. Look for those organizations to be dealing with OCR auditors camped out at their facilities in 2011.”
Ernie Hood, vice president and CIO, Group Health Cooperative; one of the nation’s largest consumer-governed health care systems
“The healthcare industry is on the verge of a major shift. Organizations are venturing into the electronic world for the first time as practices implementing electronic health records and states are launching health information exchanges. A surge of new data will be brought online by a lot of inexperienced organizations fueled by monetary government incentives. Mistakes are a certainty. Combine this with sophisticated approaches to identity theft by organized crime, and breaches will happen. When a breach occurs, the way the organization handles it publicly will be critical.”
Rick Kam, president and co-founder, ID Experts; comprehensive data breach solutions
“Health information exchanges will raise the awareness of security and privacy. I am seeing organizations shift their focus from implementation of electronic health records to a focus on the next phase of “meaningful use,” specifically how they are going to share patient records though health information exchanges. There will also be more concern over accountability if PHI is breached. How will a patient know who is responsible when a health information exchange has a data breach? Who will they hold accountable to fix the problem and for the financial, reputational, and other damage they experience? I think a lot of work needs to be done in this area and it will come into focus as a ‘must do’ initiative in 2011.”
Sandeep Tiwari, CEO, Zafesoft, Inc.; provider of information security and control software
“As healthcare information becomes more mobile, issues with security will only become increasingly complex. Healthcare is a mammoth space that changes and moves slowly, but when it does, it moves en masse. In the case of PHI/PII the laws were ahead of the technology. To date, there have been no secure audit trails, which impacts the effectiveness of the laws. If we can’t track how and when private and personal information is accessed, we will never secure it.”
Larry Walker, president of The Walker Company; governance consultant to health care organizations
“Patient health information data breaches are one of the most significant legal and public trust risks facing hospital governing boards, which are legally and ethically accountable for the results of a breach. The board of trustees has a fundamental fiduciary responsibility to ensure that patients’ health information is safe and secure at all times. To do this, boards must establish the prevention of data breaches as a critical organizational priority, ensure that financial resources sufficient to achieve the objective are made available, and require periodic updates from senior management on data breach risks and methods being utilized to close potential breach gaps. This should be one of the critical agenda items for hospital and health system boards in 2011.”
About ID Experts
ID Experts is the leader in comprehensive data breach solutions that deliver the most positive outcomes. The company has managed hundreds of data breach incidents, protecting millions of affected individuals, for leading healthcare organizations, corporations, financial institutions, universities and government agencies. In healthcare, the company contributes to relevant legislation and rules including HITECH and is a corporate member of HIMSS. ID Experts is active with organizations that advocate for privacy for Americans including ANSI/Identity Theft Prevention, Identity Management Standards Panel and the International Association of Privacy Professionals. For more information, visit http://www.idexpertscorp.com/.
SOURCE: ID Experts