Year in review: Top 10 trends in healthcare data privacy and security

By Rick Kam
10:17 AM

Forget the hospital dramas on TV. Our top 10 list of this year’s trends in healthcare privacy and security has excitement to rival any show. 2011 has been the year of the policing of the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) police, mobile technology and massive-scale data breaches:

1. More policing, more penalties, OCR-style.
The OCR has entered a new phase of increased enforcement and fines that are stiffer than an overstarched lab coat. In February, Cignet Health was fined $4.3 million for denying patients access to their medical records. At about the same time, Massachusetts General agreed to pay $1 million for the loss of 192 patients’ PHI.

2. Increase in healthcare data breaches.
Despite increased enforcement of federal regulations, the frequency of healthcare data breaches are on the rise, up 32 percent, according to a new benchmark study by the Ponemon Institute. Data breaches have become a when, not if, reality in the lives of healthcare professionals. The Ponemon study found that hospitals and healthcare providers are averaging four data breaches a year. These data breaches are costing the healthcare industry an estimated $6.5 billion annually, according to the study.

[Q&A: How a health 'data spill' could be more damaging than what BP did to the Gulf.]

3. A wider use of mobile devices in medicine.
From using iPads in surgery to storing sensitive medical data on flash drives, mobile devices are ubiquitous in healthcare. According to the Ponemon study, more than 80 percent of healthcare organizations use mobile devices that collect, store and/or transmit some form of PHI. Yet, security is a lesser priority; half of the respondents in the study don’t do anything to protect these devices.

4. Massive-scale data breaches in healthcare.
In terms of the number of patient records involved, 2011 was a notorious year for healthcare data breaches: Sutter Health, 4 million records; TRICARE, 4.9 million records; and Stanford Hospital and Clinics, 20,000 records.

5. Greater patient awareness.
Disasters make for a great news story, and data breaches are no different. Given the increase in healthcare data breaches, and the mention of patient data privacy in general, patients are beginning to understand more about their vulnerabilities to medical identity theft. Consumers in general are beginning to realize the dangers lurking everywhere and are being more vocal for increased protections, rights, and tools for protecting this valuable information.

6. Taking protected health information (PHI) to the cloud.
The healthcare IT industry is starting to move to the cloud. Outsourcing the storage, management and processing of PHI to a cloud computing provider is a good way to reduce costs and increase efficiency. But beware. Privacy and legal issues abound, such as compliance with HIPAA privacy and security regulations.

7. Increased use of business associates (BAs).
These “downstream” providers exist to help covered entities cut costs and increase efficiencies. At the same time, BAs are considered the “weak link in the chain,” when it comes to data privacy and security. 69 percent of organizations who participated in the Ponemon study say they have little or no confidence in their business associates’ ability to secure patient data—a justifiable concern, since third-party mistakes, including business associates, account for 46 percent of data breaches reported in the study.

[Year end: 3 security threats and 4 tips for protecting health data.]

8. OCR starts the HIPAA audit program.
For healthcare professionals, 2011’s scary word was audit. In accordance with the HITECH Act, HHS must allow for periodic audits of covered entities—and business associates, later on—to ensure compliance with HIPAA Privacy and Security Rules and breach notification standards. The pilot program, which includes up to 150 audits, started in November and has sent covered entities who are still unprepared, running for cover.

9. The use of cyberliability insurance to manage data breach risks.
With large-scale data breaches, high response costs, and multi-million dollar judgments (see trend #1) in the news, companies—including healthcare providers—are eager to limit potential financial damage from data breaches. Enter cyberliability insurance. Nearly 30 carriers offer this insurance, although not to the same degree of expertise and reliability.

10. Data breaches are costing hospitals more than ever.
Despite the wider acceptance of data breaches as a fact of life for healthcare providers, the financial and reputational impacts are greater than before. The average economic impact of a data breach increased 10 percent from last year to $2.2 million, the Ponemon study found. Factors such as diminished reputation, lower productivity, and loss of patient goodwill may contribute to patient churn, at an average lifetime value of more than $113,000, according to the Ponemon study.

As these trends illustrate, 2011 has been a dizzying year for the healthcare industry. The best defense against all this uncertainty is planning and preparation – because 2012 is just around the corner.

Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Christine Arevalo is director of healthcare identity management and a founding employee of ID Experts. She has experience managing risk assessments, complex crisis communication strategies, and data breach response for healthcare organizations.