Health Organization Lagging In Ensuring Data Privacy, Security

March 5, 2012

To view the original article please click here.

Many health care organizations lack sufficient resources to adopt strong privacy and security protections for patient data, according to a report by a coalition of health care and data security groups, Modern Healthcare reports (Conn, Modern Healthcare, 3/5).About the ReportThe coalition includes the:

  • American National Standards Institute;
  • Internet Security Alliance; and
  • Santa Fe Group (Goedert, Health Data Management, 3/5).

For the report, researchers surveyed more than 100 health care industry executives from more than 70 organizations about how their organizations handle protected health information, also called PHI (ANSI release, 3/5).Report FindingsResearchers found that:

  • 76% of survey respondents said their organization has taken “effective steps” to protect PHI; and
  • 75% said they agree or strongly agree with the statement, “We have effective policies to protect PHI.”

However, the survey also found that:

  • 32% of respondents said they disagreed or strongly disagreed with the statement, “We possess sufficient resources to ensure that [PHI privacy and security] requirements are currently being met;” and
  • 28% of respondents said they disagreed or strongly disagreed with the statement, “Management views privacy and security as a priority.”

When asked to name the most significant challenges preventing their organizations from ensuring the privacy and security of PHI:

  • 59% of respondents cited a lack of funding (Modern Healthcare, 3/5);
  • 40% cited a lack of time; and
  • 32% cited insufficient executive support (Strohm, Bloomberg, 3/5).

Method for Evaluating Data Security RisksThe report also describes a five-step method for evaluating health data security risks.The method, called the PHI Value Estimator, or PHIve, aims to help organizations:

  • Estimate the potential costs of a data breach; and
  • Determine the amount of investment necessary to strengthen privacy and security protections and reduce the likelihood of a data breach (Monegain, Healthcare IT News, 3/5).