5 steps to protect patient privacy

By Rick Kam
08:12 AM

This has been another stellar year for data breaches in healthcare. The newly released Third Annual Benchmark Study on Patient Privacy & Data Security, by Ponemon Institute reveals that 94 percent of healthcare organizations surveyed suffered at least one data breach during the past two years. What’s more, 45 percent of organizations experienced more than five data breaches each during this same period.

The Ponemon findings highlight the need for organizations to act now to secure PHI and protect patient privacy.

[Q&A: Health org’s don't protect patient data for reasons going ‘back to the industrial revolution’]

Organizations are not breach-proof; in fact, data breaches have become a daily part of business. To use a health analogy, security incidents have the frequency of a common cold but could have the impact of tuberculosis. They require an ongoing approach to minimize their frequency, size, and impact. We recommend that healthcare organizations:

  1. Operationalize pre-breach and post-breach processes, including incident assessment and incident response procedures. Embedding breach-related processes into everyday business demonstrates what we call a culture of compliance—something regulators love to see.
  2. Restructure the information security function to report directly to the board. This move symbolizes a commitment to patient data privacy and security.
  3. Conduct combined privacy and security compliance assessments annually. A professional risk assessment is less than 1 percent the cost of the average data breach response, a wise investment by any standard. These assessments identify the gaps between an organization’s privacy and security profiles and what the law requires. An accurate assessment forms the basis for successful breach prevention and response measures.
  4. Update policies and procedures to include mobile devices and BYOD. This is especially critical since, as we discussed, the vast majority of organizations permit employees and medical staff to use their own mobile devices to connect to their networks or enterprise systems such as email.
  5. Ensure the Incident Response Plan (IRP) covers business associates, partners, and cyber insurance. Third parties can be the weak link in the PHI food chain. In 2011, for instance, a business associate of TRICARE reported a breach affecting nearly 5 million military clinic and hospital patients. In addition, many organizations have sought relief from the high cost of data breach response with cyber insurance. An effective IRP encompasses third-party contingencies and the role of cyber insurance in managing a security or privacy incident.

Perhaps the most disturbing statistic is that 54 percent of organizations have little or no confidence that they can detect all patient data loss or theft. Patient information is at risk, yet healthcare organizations continue to follow the same processes.

[See also: Healthcare IT News' Erin McCann breaks down the report's findings about breaches]

And data breaches are expensive, costing the U.S. healthcare industry nearly $7 billion annually. For patients, the cost is more personal: Of the 52 percent of organizations that experienced medical identity theft, 39 percent say it resulted in inaccuracies in the patient’s medical record and 26 percent say it affected the patient’s medical treatment.

For the trend to shift, organizations need to commit to this problem and make significant changes. These five steps are a good beginning.


Rick Kam, CIPP, is president and co-founder of ID Experts. He is an expert in privacy and information security, with extensive experience leading organizations to address the growing problem of protecting PHI/PII and remediating privacy incidents, identity theft, and medical identity theft. Rick is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Larry Ponemon, PhD., is a respected voice in privacy, data protection and information ethics. In 2002, he founded the Ponemon Institute, headquartered in northern Michigan. Prior to founding the Institute, Dr. Ponemon was a senior partner at PricewaterhouseCoopers, where he led compliance risk management services for the worldwide firm. Dr. Ponemon has served on the Federal Trade Commission’s Advisory Committee for Online Practices and currently serves as Chairman of the Council of American Survey Research Organization’s Government Policy Advisory Committee.