HIMSS Analytics ( published shortly for Healthcare Information and Management Systems Society), a “think tank” for the management of health care worldwide only in 2008 HIMSS Analytics Report: has security of patient data.
This report examines the safety of the patients personally identifiable information (PII) and protected health information (PHI). In the current data against crazy world, this is a timely report, which get under the surface of the needs of health professionals in order to quickly access balance recorded patients’ health and the need to protect the privacy of patients not only prevent, but, to secure access to information attempts, which could lead to identity theft. press release.
In discussing PHI and PII it is important to begin a fact. Unauthorized access to PII no matter where they could be found, can lead to identity theft. Unauthorized access to PHI alone will not lead to financial identity theft in most cases. It could be used to identify a scam a potential victim by making the consumer / victim in a specific place and can give the fraudsters a reference to his vulnerability of consumers. It is also unlikely to lead to medical identity theft. In terms of useful information needed to commit identity theft, date of birth and social security numbers are much more valuable than PHI. A consumer may feel that their privacy was violated when PHI has been exposed, but unless PII is injured included in the data, the patient should be only slightly more often exposed to identity theft than others injured non-consumers.
Health-care organizations or as HIPAA labels these “covered entities, they must” still treat all personal information of their clients / patients the same. Other obligations, the privacy of health services worldwide are mandated by Sarbanes Oxley and Gramm-Leach-Bliley. In some cases, the PCI Data Security Standard also apply. Compliance with these three laws and the PCI Standard requires a health unit on formal steps to ensure appropriate privacy and security policies and procedures implemented.
The HIMSS report may reflect a gap between policy and appropriate procedures and practices. to respond, most healthcare facilities HIMSS indicated that their organization has implemented a security policy. (P 0.4 of the report). “The study continues that these measures be monitored regularly and that” 85 percent of respondents indicating that their Policy was updated on an annual basis, if not more often. (p. 4 of the report). “
But the report also shows that employees are considered the biggest threat that a breach of data information to the patient could cause, (p. 6, p. 15 of the report). Respondents indicated that, although part of the New Hire Training involved security related issues (95% of respondents) only 64% of respondents in some form of ongoing security training refreshing (p. 8 required). On the surface it is fair to conclude that health care facilities not to place much confidence in their security training. This is an area bounded by the implementation of security could open mind to all areas of training and, for each task performed in the facility are addressed. Or as Brian Lapidus, Kroll Fraud Solutions Chief Operating Officer and survey sponsor in the press release:
quoted “There is a dangerous assumption in the healthcare industry that education leads to policy implementation and change , “said Mr. Lapidus of Kroll. “ Best practices in the data security can not by staff training alone. organizations must make to achieve data security a part of their DNA, reflected in every aspect of doing business. “
Maybe are some of the distance between policy and practice identified in the report, healthcare organizations can be traced focused much of their security efforts and resources on IT-related security at the expense of employee training. Ninety seven percent (97%) of respondents have implemented “Technical IT security,” while only 70% have implemented formal education. This discrepancy can be compared and contrasted to the actual reporting of injuries occurred, as among the respondents. The HIMSS results show that the Health Care Management is concern about justified on employees, with employee representatives were “unauthorized use of information” leads to 62% of all injuries of 32% of respondents, followed guilt “unlawful access of paper-based information for patients, “(pg. 18). In addition, in response to the question “Who was the perpetrator of the security breach?” 80% identified a current employee. While improper release of PII or PHI originated with an employee 62% of the time only some of these events are probably the result of a blatant attempt to steal data, and many of them are likely to have unintended consequences of the bustling and often react by demanding in a hurry medical facility.
Based on this study seem to healthcare facilities and employers to understand what causes abuse of data, however, address these concerns ineffective. To focus on data security from the IT perspective does not deal with the fact that employees with authorized access to information cause and injuries, whether intentionally or unintentionally, the greatest threat to patient privacy and prevent identity theft. Better background screening and higher thresholds for new employment may, at some of this problem. The quest for a national patient record access system may or may not solve this problem to implement, but such a solution can not or do not, theft of information easier. Healthcare Management is the daunting task of finding out what is left of the change that prevent patients PII and PHI is needed violated keep it accessible for those health professionals who need it. Based on the results of HIMSS, the policies and procedures must at many American medical institutions to re-evaluated with a mind to promoting a culture of data protection. A copy of the report can be downloaded here.
