Among the findings of the 2008 HIMSS Analytics Report: Security of Patient Data, commissioned by Kroll Fraud Solutions, is that patient data collected and stored in hospitals and health care facilities is a prime target for malicious data hunters.
The patient records in these facilities include the golden combination that data fraudsters require -- names, Social Security numbers and dates of birth. Records also contain mailing address, insurance policy information, medical history and sometimes credit card and financial information used to expedite billing and payment – “more data in one record than those of any other source such as banks, schools or HR departments.”
The report, which polled 263 IT executives and chief security officers, found that in the period from 2006-2007, more than 1.5 million names were exposed during data breaches that occurred in hospitals alone.
Among the top reasons for this, the study found, was a “lack of awareness within the health care industry around the frequency and seriousness of identity theft that negatively impacts efforts to contain the problem and reduce the risk.”
The report pointed to vague language in the many regulatory laws -- including HIPAA, the Sarbanes-Oxley Act of 2002 (SOX), and Payment Card Industry Data Security Standards (PCI DSS) -- that have enabled breach cases to go unreported, preventing an accurate report on frequency.
“Only 56 percent of respondents who experienced a security breach notified the patients involved, indicating that compliant organizations do not always recognize the need to report breaches or notify patients with exposed records depending on the circumstance,” the report stated..
While the study found that HIPAA awareness is high in large organizations, the law “does not specifically identify how organizations should implement security controls. It allows them latitude to make these determinations based on risk analysis.”
Some good news might be that only a small percent of breach sources were found to be the result of malicious intent, such as stolen laptops/computers or deliberate acts by unscrupulous employees.
The majority of respondents (62 percent) who indicated that they had a breach at their organization, identified the source as unauthorized use of information, while 32 percent identified wrongful access
of paper records.
But dismissing a malicious or neglectful employee does not solve this problem, the study found. It only removes the offender.
“Organizations need to continue to be vigilant about ensuring that their security policies and procedures are enforced and that educating employees remains a top priority," the study said. "Health care organizations also need to monitor that employee behavior is compliant with the security policies that have been put in place.”
There are a number of factors in the health care industry that raise concerns about the frequency and severity of patient data breaches and supports the need to modify both regulatory and operational environments to more aggressively address the situation, the study found.
Top of the list, when conducting a risk analysis and putting a plan into place, organizations need
to be aware of the full range of areas where security breaches can take place, from inadvertent access by employees to malicious intent, the study found.
Second, the study found that there is an over-reliance on employee education and disciplinary action as effective prevention and response techniques.
"These do not address the incidence of malicious intent that is responsible for the industry's largest and most damaging breaches," the report said.
A paradigm shift in the approach to patient data security is called for, the study concluded. It would be most appropriate to treat the process as an "ongoing operational and behavioral change that guards against both malicious theft of patient data records for fraudulent purposes, as well as inappropriate access during treatment," the report stated.