Whether personal health information (PHI) is extracted, hacked or viewed by an unauthorized user, it constitutes a health care security data breach. These data breaches, which are a chief concern among a variety of health care professionals, must be kept under control. That, however, has not been the case according to an August 2011 survey by Veriphyr.
The online survey asked respondents questions regarding perceptions of privacy and compliance; monitoring tools for unauthorized access to PHI; the type of breaches sustained in the past year and how long they took to resolve, among other figures. It led to a plethora of telling results.
Approximately 71% of respondents noted that they suffered a breach of PHI in the last year, a result that is not a revelation for Alan Norquist, CEO of Veriphyr, a security product vendor used to detect enterprise user access. “Given that data breaches of patient information cost healthcare organizations nearly $6 billion annually, we were not very surprised to discover that more than 70 percent of the organizations surveyed were victimized last year,” he said.
The type of data breach varied as well as two or more types of breaches were prevalent at 38%. The most common breach was “snooping into medical records of fellow employees” at 35%. Next came “snooping into records of friends and relatives” at 35%, followed by “loss/theft of physical records” and “loss/theft of equipment holding PHI,” 25% and 20%, respectively.
Many breaches were discovered in one to three days (30%), while others took two to four weeks (17%). Some 12% of respondents said that the breach was discovered within one week. And while discovering the breach is crucial, resolving the breach is equally important: 25% of respondents resolved the breach in two to four weeks, 18% in one week and, lastly, 16% in one to three days.
Although 80% of respondents were pleased with their organization’s senior management on compliance and security measures, there is much concern over mitigating PHI breaches via monitoring tools. Of those, 79% said they were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI. Additionally, 52% stated they did not have adequate tools for monitoring inappropriate access to PHI. Improving the ability to monitor access to PHI is a worthwhile investment, according to 47% or respondents who plan to increase PHI detection in the next year for security protection.
Whether an accident or willful neglect, data breaches can result in steep fines. Since the inception of the HITECH Act, patients must be notified if a data breach occurred and include particulars such as: when it occurred, how it is being resolved, which PHI was accessed and procedures to protect any further disclosures.