Most health organizations aren’t ready to protect patient data as access to confidential patient records expands, according to a PricewaterhouseCoopers report.
As new uses for digital patient information grow, according to PwC, health organizations need to step up their act to make sure their patient information doesn’t fall into the wrong hands.
Old privacy and security controls aren’t thorough enough to comply with existing privacy laws and patient consent agreements, according to the report, which recommends that organizations adopt a more integrated approach to protecting patient privacy.
Sign up to get our free newsletters delivered right to your inbox.
Health care providers are rapidly discovering the potential for secondary uses of patient information from sources including clinical studies, post-market surveillance of drugs and R&D on new products. Although many organizations are sharing information, few have established any restrictions on the data they’ve shared. As data sharing becomes a more common practice, organizations need to upgrade their security measures, according to PwC.
The report, compiled from a survey of 600 executives from health care organizations, also found that although theft accounted for 66 percent of health data breaches over the last two years, 40 percent of providers also reported an incident of improper internal use of protected health information.
"Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error – loss of a computer or device, lack of knowledge or unintended unauthorized disclosure," said James Koenig, PwC’s director of the health information privacy and security practice, in prepared remarks.
Lack of awareness or training fuels now-commonplace security and privacy breaches from internal sources. Anything from mishandling paper documents, talking in the elevator or commenting on social media channels can inadvertently affect patient confidentiality.
PwC also found that more than half of the organizations surveyed hadn’t addressed privacy and security issues associated with mobile devices and social media. More than half of healthcare organizations allow access to sites like Facebook while at work; less than half have a policy covering the use of social media outside of work, according to the report.
The report follows news of a security breach at Stanford Hospital, where thousands of patient medical records were publicly exposed on a commercial website for nearly a year before being caught last month.
