Survey Finds Healthcare Industry Failing in Patient Privacy

The Second Annual Benchmark Study on Patient Privacy and Data Security by independent research outfit Ponemon Institute finds data breaches were up 32 percent in 2011 due to “sloppy mistakes and “unsecured mobile devices.”

To anyone who has been following data breaches in the healthcare industry over the last year, these findings shouldn't come as any surprise.

According to the study, there was a whopping 46 percent increase in illegally obtained patient records and a 32 percent increase in overall data breaches from the previous year. The study puts the blame for all of this on “sloppy employee mistakes.”

This is a copout. Employees make mistakes when they are untrained, unmotivated and underpaid. I have no doubt the breaches could have been prevented by better employee diligence but in my experience mistakes happen from the top down, not from the bottom up.

Whatever the cause, the survey results reveal the lack of privacy protection most clients experience when they visit any healthcare facility.

Mobile devices also come in for its share of blame. According to the healthcare facilities surveyed, more than 80 percent use mobile devices to collect, store and transmit patient health data. Yet half of the respondents said nothing was being done to protect these transmissions or the transmitting devices. But perhaps even more startling, most of the survey respondents were employed in the data protection, security and privacy or compliance fields at these institutions.

Here’s another scary finding that should give any company trusted by law to maintain and protect personal information something to think about: According to the survey, “The closer the (healthcare) personnel are to the data, such as billing and IT, the higher the probability of not following policies and procedures.”

It is almost laughable if it weren’t so serious.

But, coming back to my point about a lack of employee training: A full 42 percent of the respondents admitted their administrative personnel don’t understand the importance of protecting patient data. See what I mean. Whose fault is that?

The real danger, as the survey reveals, is that data breaches lead to medical identity theft. Ninety percent of the respondents said data breaches harm patients.

Perhaps lack of training, low wages and poor morale can all be blamed on money. Seventy-three percent of the respondents said their organization lacked sufficient resources to “prevent or detect data access, loss or theft.”

The study offers three pieces of advice, again, useful for any company not just organizations in the healthcare industry:

First, know what you need to protect. Companies should take an inventory of “every element of personally identifiable information that it holds.”

Second, a company must develop an Incident Response Plan, which would “designate roles and provide guidelines” for a response team.

Finally, companies constantly should review their contracts and agreements with business associates to define how they are handling the sensitive data being shared for whatever purpose.

The survey results are based on self-reported benchmark survey returns, according to Ponemon, and are skewed toward “larger-sized healthcare organizations.”