Breaches into protected health information (PHI) are on the rise, and staffers are responsible for more than a third of the intrusions, a new survey has found.
The “2011 Survey of Patient Privacy Breaches” from Veriphyr, a Los Altos, Calif.-based provider of identity and access intelligence, determined that more than 70 percent of organizations surveyed were targets of one or more breaches of PHI within the last 12 months. And, insiders were responsible for the majority of breaches, with 35 percent taking an unauthorized look at medical data of fellow employees and 27 percent peeking at records of friends and relatives.
The survey, released Wednesday, tabulated responses from 90 compliance and privacy officers at mid- to large-size hospitals and health care service providers who were asked online about their views of privacy and compliance initiatives within their organization, the adequacy of tools used to monitor unauthorized access to PHI, and the number and type of breaches sustained in the past year.
“We were not very surprised to discover that more than 70 percent of the organizations surveyed were victimized last year,” Alan Norquist, CEO and founder of Veriphyr, told SCMagazineUS.com on Tuesday.
Breaches of PHI are becoming more common, the Veriphyr report determined, as evidenced by the fact that data breaches of patient information cost health care organizations nearly $6 billion annually, according to a Ponemon Institute report.
But what stood out of the survey for Norquist was the prevalence of insider abuse. Even the health care personnel themselves are concerned that fellow staffers will abuse the system and take a look at their personal health records out of curiosity, Norquist said.
But, he added, there is a second motive for insiders sneaking looks at health records: identity theft. With a growing market for personally identifiable information, health care personnel increasingly are being recruited to feed sensitive information to outsiders for Medicaid fraud and credit card schemes, he said.
The challenge going forward is that the supply of trained information technologists is in short supply, particularly in the health care field. That means many organizations will turn to outsourcing for help.
But those services have become a more viable option for health care providers owing to new requirements imposed by HIPAA and the HITECH Act, which make service providers equally as responsible for protecting records as the health care facilities themselves
“Hospitals have changed contracting to make sure service providers are secure,” Norquist said.