Protected health information (PHI) data breaches are growing in frequency and magnitude as the healthcare industry moves to adopt electronic health records (EHR), say a group of standards and security organizations. The healthcare industry must take action to better defend PHI if it wants to keep the public's trust, they say.
The Identity Theft Prevention and Identity Management Standards Panel (IDSP) of the American National Standards Institute (ANSI), in partnership with The Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance (ISA), on Monday unveiled a report, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, at a press conference kicked off by White House Cybersecurity Coordinator Howard A. Schmidt. The report is intended to help CIOs, CSOs and IT security, privacy and compliance staff create a compelling business case for enhanced security to present to business executives.
"When it comes to cybersecurity, we all have a role whether we're a consumer, the executive of a company or a political leader," Schmidt says. "By working together, we can make sure we make the improvements that ensure the balance between privacy rights and security. While we can't solve all the problems in the world when it comes to cybersecurity and privacy, we can affect those parts we're responsible for."
Privacy Protections Critical to Trust
Joe Bhatia, president and CEO of ANSI, added, "Privacy protections are absolutely critical to maintaining consumer trust in this information age. In the U.S., the healthcare delivery system is founded upon trust. This trust, as we all know, is now being severely tested."
According to the 67-page report, which involved a cross-section of more than 100 healthcare industry leaders from more than 70 organizations, nearly 39.5 million EHRs were breached between 2005 and 2008. In addition, within the past two years, the health information privacy of nearly 18 million Americans-a number roughly comparable to the population of the state of Florida-was breached electronically.
The data points don't end there. Between September 2011 and November 2011, a government benefits program suffered the theft of EHRs of 4.9 million military personnel, the health information of 4 million patients of a reputable West Coast healthcare system were stolen electronically and a major academic medical center inadvertently disclosed the EHRs of 20,000 of its patients. In November of last year, Ponemon Institute completed a survey of 72 provider organizations and found that 96 percent of respondents reported at least one data breach in the past 24 months. On average, Ponemon Institute found that health organizations have experienced four data breach incidents over the past two years.
"Healthcare is one of the most-breached industries," says Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "Healthcare providers and supporting organizations don't currently have sufficient security and privacy budgets, including adequate processes and resources, to protect sensitive patient data."
"The entire healthcare delivery system depends upon a single transaction: your willingness to share the most intimate details of your personal information with your physician," adds James C. Pyles, panel member and principal with Powers Pyles Sutter & Verville PC. "You have to trust that the information won't be used to harm you or your children. If you're dealing in this business of handling health information electronically or any information electronically, you're touching on a very tender nerve that people have."
Pyles added, "It's more than breaches, it's also understanding, as a business, the expectations of your customers. If you frustrate those expectations, I promise you, you will be sued."
Part of the problem, says Catherine Allen, chairman and CEO of The Santa Fe Group, is that the financial incentives are on the side of those who seek to steal medical records. Allen said medical records go for $50 a record on the underground market, making them much more lucrative than even financial information. "It's very valuable data," she says.
Evaluating the Cost of Data Breaches
The new report is intended to be a tool to help organizations quantify overall potential data breach costs and to provide a methodology for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach.
"No organization can afford to ignore the potential consequences of a data breach," says Rick Kam, president and co-founder of ID Experts and chair of the PHI Project. "We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI."
He added, "One of the things that we realized as we started to work through this process is that the chief information officer, the chief security officer, they're essentially getting outgunned by the criminals. It's not that we don't have the technology or processes or people to deal with this problem. It's that we don't have enough focus and investment from the executives."
The report provides a five-step method, the PHI Value Estimator (PHIve), for estimating breach costs and what needs to be done to protect organizations. The PHIve provides detailed information about each of the steps, which include: conducting a risk assessment, determining your security readiness score, assessing the relevance of a cost, determining the impact and calculating the total cost of a breach.
"Cybersecurity is not an IT issue," says Larry Clinton, president and CEO of the Internet Security Alliance. "It is an enterprise-wide risk management issue that needs to be addressed in a much broader sense."
Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.
Read more about health care in CIO's Health care Drilldown.