LogLogic®, the leader in log and security management solutions, and the Ponemon Institute, a privacy and information management research firm, today announced results of a national survey of healthcare IT security professionals that shows patients may be surrendering their privacy as the $2.5 trillion medical industry – prompted by federal stimulus funding – pushes to accelerate the pace of digitizing health information records.
According to the October 2009 Ponemon report, Electronic Health Information at Risk: A Study of IT Practitioners, 80 percent of healthcare organizations surveyed had experienced at least one incident of lost or stolen electronic health information in the past year – four percent had more than five patient data breaches. More than two-thirds of these healthcare organizations had already digitized at least a quarter of their patient records and a third had digitized more than half.
Electronic medical records promise to improve patient quality of care and safety – as well as reduce costs – but the study showed that IT practitioners don’t believe they have management support to protect patient privacy as a priority. According to survey respondents:
- 70 percent say senior management does not view privacy and data security as a priority;
- 53 percent say their organization fails to take appropriate steps to protect the privacy rights of patients while less than half judge their existing security measures as “effective or very effective”; and,
- The average cost of a data breach, per patient record, exceeded $210 per compromised record, creating an opportunity for organized computer crime rings to traffic in stolen medical records*.
“The majority of IT practitioners in our study don’t believe that their organizations have adequate resources to protect patients’ sensitive or confidential information,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “The lack of resources and support from senior management is putting electronic health information at risk.”
The study, sponsored by LogLogic and independently conducted by the Ponemon Institute, surveyed 542 senior IT practitioners from healthcare organizations with an average of more than 1,000 employees about how secure they believe electronic patient medical records are.
“Hospital security professionals today have a unique opportunity to be patient privacy heroes,” said Guy Churchward, CEO of LogLogic. “Healthcare reform is a national priority, but we must ensure that patient data is protected.”
In addition to the Ponemon Institute study, LogLogic surveyed healthcare IT security professionals about their role as the last line of defense in protecting patient privacy to understand how they balance the benefits of electronic medical records while also instituting practices and technology solutions to guard patient confidentiality.
In that customer telephone survey, LogLogic interviewed information security professionals at seven large hospitals and medical groups representing more than a quarter of a million healthcare professionals serving millions of patients in the Northeast, North, South, Midwest and West of the United States.
Survey respondents said that the new HIPAA rules, while not a perfect security solution, are a good start in improving the protection of electronic patient records. As the head of security of one of the West’s largest hospital groups said, “In the final rules for HIPAA, if you have a breach you are by definition not compliant – none of the wishy-washiness of the original rules. This merges HIPAA privacy and security for the first time.”
The new Health Information Technology for Economic and Clinical Health Act (HITECH) offers billions of dollars in federal assistance to encourage adoption of electronic health record systems. It also expands the 1996 Health Insurance Portability & Accountability Act (HIPAA) rules for data security and privacy safeguards, including increased audits, enforcement and penalties. Among the enforcement provisions are mandatory patient data breach notification requirements.