Home » News » Meaningful Use | Electronic Health Records | Enterprise Content Management | Health Information Exchange (HIE) | Mobile/Wireless | Privacy and Security
Receive News By Email

  • del.icio.us
  • Digg
  • StumbleUpon
  • Reddit
  • Facebook
  • Google
  • RSS Icon
  

Experts name top 7 trends in health information privacy for 2011

January 04, 2011 | Molly Merrill, Associate Editor

Related Resources

PORTLAND, OR – A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach and governance have identified the top seven trends in healthcare information privacy for 2011.

The experts suggest that as health information exchanges take form, millions of patient records – soon to be available as digital files – will lead to potential unauthorized access, violation of new data breach laws and exposure to the threat of medical and financial identity theft.

"Endemic failure to keep pace with best practices and advancing technology has resulted in antiquated data security, governance, policy plaguing in the healthcare industry," said Larry Ponemon, chairman and founder, Ponemon Institute.

"Millions of patients are at risk for medical and financial identity fraud due to inadequate information security," he said. "Information security in the healthcare industry is at the fulcrum of economic, technological, and regulatory influence and, to date, it has not demonstrated an ability to adapt to meet the resulting challenges – but it must. The reputation and well-being of those organizations upon which we rely to practice the healing arts depends on it," he said.

The top predictions for 2011 include:

  • Health information exchanges, many of which will be launched by inexperienced and understaffed organizations, will force more attention on security and privacy.

"The healthcare industry is on the verge of a major shift," said Ernie Hood, vice president and CIO, Group Health Cooperative, one of the nation's largest consumer-governed healthcare systems. "Organizations are venturing into the electronic world for the first time as practices implementing electronic health records and states are launching health information exchanges.  A surge of new data will be brought online by a lot of inexperienced organizations fueled by monetary government incentives.  Mistakes are a certainty," he said. 

  • There will be increased fines and regulatory action by State Attorneys General and regulatory agencies.

"In 2011, we can expect that the Department of Health and Human Services Office for Civil Rights will be gearing up its proactive audits," said Cliff Baker, managing partner for Meditology, a healthcare IT risk management and deployment services firm. "Where does this leave OCR audits in 2011?  They're probably directed at those organizations that have breaches attributable to known and published high-risk areas.  Look for those organizations to be dealing with OCR auditors camped out at their facilities in 2011."

  • Data breaches and associated costs will increase, as penalties for information security negligence are acted on.

"As healthcare information becomes more mobile, issues with security will only become increasingly complex," said Sandeep Tiwari, CEO, Zafesoft, Inc., a provider of information security and control software.  "Healthcare is a mammoth space that changes and moves slowly, but when it does, it moves en masse. In the case of PHI/PII the laws were ahead of the technology," he said.  "To date, there have been no secure audit trails, which impacts the effectiveness of the laws.  If we can't track how and when private and personal information is accessed, we will never secure it," Tiwari said.

Story continued on next page.

Related Topics:

Reader Comments (2)Login to Post a Comment

dberger05 says: Security Means Back to Basics
January 11, 2011 | 1:46AM GMT

Being aware of risks is insufficient in and of itself. The risk management process is a continuous cycle through three steps: risk assessment, control implementation and control testing. Start with these basic elements and focus resources accordingly. How else can healthcare organizations ensure that security controls are consistent with policy? I can't stress enough how important this is.
For more insight on this topic (and a few laughs), read my recent blog post:
http://wp.me/pymfm-vG

Derek says: Reported breaches are just the tip of the iceberg
January 06, 2011 | 11:08AM GMT

Thank you for writing this article. We have posted a link to it on Identity Theft Daily News (www.idtheftdailynews.com) -- our news portal for breaking stories on data breaches, identity theft and compliance.

Your experts are certainly on the mark with regard to the outlook for 2011.

The 662 publicly reported breaches in the U.S. last year (200+ in health care) are just the tip of the iceberg. A case in point is Identity Force's 2010 survey of hospitals, where over 40% of U.S. hospital executives reported that their organizations experience 10 or more breaches each year. That means there are thousands of breaches annually in the health care industry alone -- but most are not reported. A copy of the report can be found at www.identityforce.com/Press.php.

Thanks again for keeping businesses and the public informed. Hopefully 2011 will see more and more businesses incorporating proactive policies and procedures to eliminate breaches -- and to follow proper notification guidelines as required by law.