After compiling and publishing data for the Ponemon Institute LLC's Third Annual Benchmark Study on Patient Privacy & Data Security, the researchers realized in addition to the growing awareness of data breaches, health care organizations could use help building best practices for preventing breaches and securing information.
Toward that end, based on the responses of the more than 400 respondents spanning 80 different health care organizations detailing how they approach privacy and security in health IT -- or, in some cases, don't approach it -- Larry Ponemon, Ponemon Institute founder, and study sponsor Rick Kam, president and cofounder of health IT security consultancy ID Experts, developed advice for building compliance with the Health Information Portability and Accountability Act (HIPAA) in general and addressing patient data breach prevention specifically.
- Increase compliance and IT security budgets, and change your organization's outlook today. Three out of five health care organizations don't have the budget to operationalize data breach prevention. Breaches are perceived as occasional disasters instead of daily incidents that can be stopped through prevention-minded vigilance implemented through policy, training and technology to support them. Increasing the emphasis can effect change from the top leadership levels.
- Understand and take strides to correct medical identity theft. The study defined it as "the theft of a patient’s health credential to obtain medical treatment, services and products (devices)." It happened 1.85 million times in the U.S. in 2012, according to Kam. Unlike financial data theft, medical identity theft can affect a person's health and safety when incorrect data is intermingled with actual clinical data -- and by definition, every medical identity theft begins with a data breach. Offer some sort of monitoring and protection for patients who fall victim to it. Of the organizations surveyed, 75% do not offer protection, although most were aware medical identity theft happens.
- Emphasize pre-breach prevention as well as post-breach response. Such a mindset among employees will be reinforced by developing metrics to measure how well patient information is being protected, and reporting to the board of directors on progress toward improving it, with one board member accountable for privacy and security. Doing so will make privacy and security compliance top-of-mind for employees instead of buried somewhere in a host of other compliance or IT initiatives.
- Make privacy assessments and data security risk assessments separate annual events. In the HITECH Act era, during which health care organizations are bringing new applications online and using new business associates for IT support (such as cloud vendors), it's not only a good idea, it's the law.
- Update policies and procedures to include mobile devices, health information exchange and cloud usage. Ponemon's study revealed that in the absence of strong policy, employees will use potentially unsecured, free Web services to share patient data and make it accessible on their mobile devices. They're convenient, yes, but unlikely to be HIPAA-compliant.
- Keep incident response plans up-to-date. That means testing them, too, on a regular basis.
- Conduct a mock HIPAA compliance audit. That way you'll be ready if your organization is audited in the federal program piloted in 2012 and set to go live in 2013. Not only will it serve as a dress rehearsal for when the auditors show up unannounced, Kam said, but "more importantly, it will force a lot of the right questions to be asked of the management team so they can focus their efforts on where to spend [their energies] on risk mitigation strategies." A former auditor himself Ponemon concurred, adding audit programs in general force a higher level of accountability that might not already be present in organizations, because it creates real consequences for policy noncompliance.
Read the full report here.