Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).
According to one recent study[i], more than 19 million health records have been compromised since August 2009. As the health care industry moves into the adoption of electronic health records (EHRs), medical breaches have become a more significant concern. These studies strive to establish a business case for health organizations to create strengthened compliance programs that will enhance PHI security and privacy. The programs focus primarily on the financial risk that health organizations face – through examination of elements that pose a threat. For example, these risks can manifest themselves through the number of varied health care organization handling PHI, and human threats which may come from malicious insiders, outsiders, or even cyber-crime rings. In addition, these may include the dissemination of data through wireless devices or mobile devices. There are other methods which may include lost or stolen information.
PHI is valuable to identity thieves because it is considered to provide a lucrative outlet in the area of Medical Identity Theft. The rewards to this crime have surged as it is commonly tied to Financial Identity Theft. The released studies highlight the necessity for those organizations in the health care industry to assess the threat, consequences, and vulnerability to PHI. The proposed areas to be considered include procedures, policy, and the technology threat to the security of PHI. With that said, privacy and security should be viewed as a priority by health care organizations. In order to determine the impact, these organizations need to analyze the relevance of the problem, and analyze the impact of the consequences that arise. In doing so, health care organization will need ample and strong support for security, safeguards and controls, accessibility to resources, accountability both from leadership executives and below, strong authentication practices, and knowledge of the PHI flow within the organization and related.
In the health care community, privacy is a fundamental right protected not only by laws, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but is also a right expected by the patient. As the health industry adopts the use of electronic files, the number of organizations handling Protected Health Information (PHI) increases. An understanding of the risks, and the impacts – financial or not, can help organizations that handle PHI strengthen their prevention and detection efforts in addition to reducing liability. The breach of PHI creates problems both for the organizations and the patients whose information is entrusted to be protected.
[i] Redspin study, Breach Report 2011/Protected Health Information