As the health care industry embraces technology, risks related to data breaches are changing, yet human error remains a big concern.
Ponemon Institute, an independent research and strategic consulting organization, published the Fourth Annual Benchmark Study on Patient Privacy and Data Security in March, noting security and privacy threats to health care organizations and patient records.
The annual study is based on survey responses from more than 90 organizations, with most of the individuals employed in compliance, patient services or privacy roles. According to the report, the types of health care organizations participating in the study consist of hospitals or clinics incorporated within a network, integrated delivery systems and standalone hospital or clinics.
Art King, chief security officer at Metro Health, said although the institute is relatively reliable as a source of information, he is concerned with the terms often used throughout the study.
“Some of the terms used are pretty broad-brushed,” said King. “When they talk about data breaches, according to HIPAA regulations, a data breach is any time a patient’s information is accessed inappropriately — and that can be one person or 100,000 people, so what kind of breaches are they talking about?”
According to the U.S. Department of Health and Human Services, the Office for Civil Rights enforces the Health Insurance Portability and Accountability Act of 1996, which protects the privacy of individual health information. The office also is responsible for the HIPAA Security Rule, which regulates national standards for ensuring appropriate protection for health information.
Sponsored by ID Experts, a software and consulting services company, the annual study focuses on criminal attacks in regard to data breaches within health care organizations. According to the report, key findings included: the number of data breaches has decreased in health care organizations; criminal attacks on health care organizations have increased significantly since 2010; the Affordable Care Act exchange increases risk in terms of patient privacy; and employee negligence is considered the biggest security risk.
According to King, the issue with the Affordable Care Act is more related to an increase of millions of additional people registered for health care; however, he agrees employee negligence is an area on which hospitals need to focus.
“The thing that we have to constantly do is to educate the employees and make sure that errors don’t happen,” said King. “They deal with thousands of things every day, so one mistake can cause information to be faxed to the wrong fax number … and in most cases, it is not their entire record; it is one piece of information.”
Metro Health conducts privacy and security educational training during orientation for new employees, in addition to mandatory education each year for all employees within the health care organization. King said he conducts sessions with departments in conjunction with the privacy officer to emphasize recent issues or events that may have proven problematic.
Scott Dresen, vice president of information services at Spectrum Health, said the organization uses a comprehensive layered approach for security with policies, technical controls and employee education and training.
“We have comprehensive policies and procedures in place that guide both technical controls and how we manage our environment, as well as behavioral controls in terms of how our staff leverage and use the technology,” said Dresen. “We also have security awareness training with our staff as part of new employee orientation, organizational security messaging and annualized security training.”
With the use of electronic medical charts, insider negligence as the cause of data breach resulted after a technology device was lost or stolen, from employee mistakes or carelessness. According to the study, criminal attack increased from 20 percent in 2010 to 40 percent in 2013 based on survey responses.
“I think, historically, physical access to paper charts was far more limited and localized to the region where those documents existed, so the availability of access to that information was reasonably constrained geographically,” said Dresen.
“In the context of electronic information, if they are able to circumvent security controls that might be in place, (it makes) for a much broader exposure potential for people who may want to access that information.”
According to King, electronic medical records can eliminate potential human errors, especially in terms of patient care, and can decrease manual handling.
“There is a ton of protection built into the electronic environment,” said King. “But trillions of people could have access to an electronic chart, perhaps, if they were a good enough hacker, whereas the paper charts were primarily kept in the building.
“However, I do believe paper charts were more susceptible to issues than electronic charts only because there was so much manual handling and moving them from building to building, leaving them out on countertops.”
Although both Dresen and King think electronic medical records are more susceptible to data breaches than paper charts, Dresen pointed out that the type of risk is different.
“In the days when they were paper-based charts, your risks were different and the motivation for breaches was different,” said Dresen. He said criminal enterprises are monetizing the stolen information, which makes stealing the data worth their effort.
Ellen Bristol, director of communications and public relations at Metro Health, said as hospitals and the health care industry increasingly move toward electronic medical records, it is important for consumers not to be wary of patient information that is housed electronically.
“There is risk involved in any kind of chart, so the risks are changing,” said Bristol. “Everyone is so focused on the layers of security and processes in place, I think that it would be a shame for people to think about electronic medical records and be afraid, because there is a huge benefit.”