CDW report: Patients fear for PHI in EHRs
Most patients believe healthcare organizations are responsible for protecting a variety of sensitive information, but 49 percent also believe that EHRs will have a negative impact on the privacy of their personal health information (PHI) and health data, according to a nationwide survey of 1,000 respondents conducted by CDW Healthcare.
Patients not only require that PHI be held securely, but also believe that healthcare organizations are responsible for protecting financial information (86 percent), personally identifiable information (93 percent) and any information provided about a patient’s family (94 percent), according to the survey. CDW conducted the survey from Jan. 24 to Jan. 31 and issued its findings in a report titled “Elevated Heart Rates: EHR and IT Security.”
"Beyond HIPAA and the HITECH Act, patients may respond to any breach of trust with a changed business relationship," reported CDW, of Vernon Hills, Ill. Among respondents who were notified of a breach of their personal data from any business or organization in the past, 33 percent changed their relationship with the affected organization. Nine percent severed the relationship, 12 percent reduced spending and 12 percent no longer trust that organization, according to the report.
When asked who they hold primarily responsible for the privacy and security of their health information, 84 percent of respondents cited either a staff member at the doctor's office by role, or the medical practice as a whole.
Based on work in both health IT and information security, CDW Healthcare identified preliminary steps for healthcare organizations focused on improving their security profile:
Execute an IT security assessment: Many healthcare organizations do not know the current state of their IT security infrastructure. Healthcare organizations need to work with a trusted partner to secure a baseline understanding of what their security profile looks like.
Start with the basics: Notably, 30 percent of physician practices stated that they do not use antivirus software and 34 percent do not use network firewalls. At the absolute minimum, healthcare organizations need to immediately implement steps to meet reasonable security standards.
Protect your investment: As healthcare organizations consider the transition to EHRs, they have the opportunity to implement IT security practices tailored to their tool. This not only protects a sizable investment in technology, but also ensures that as patient data goes digital, security protections are already in place.
Start now, reassess often: IT security is not a one-time fix. Though the EHR transition is a perfect time to initiate tighter IT security controls, all healthcare organizations need to consider their IT security profiles and should consider conducting an assessment at least once a year.
Patients not only require that PHI be held securely, but also believe that healthcare organizations are responsible for protecting financial information (86 percent), personally identifiable information (93 percent) and any information provided about a patient’s family (94 percent), according to the survey. CDW conducted the survey from Jan. 24 to Jan. 31 and issued its findings in a report titled “Elevated Heart Rates: EHR and IT Security.”
"Beyond HIPAA and the HITECH Act, patients may respond to any breach of trust with a changed business relationship," reported CDW, of Vernon Hills, Ill. Among respondents who were notified of a breach of their personal data from any business or organization in the past, 33 percent changed their relationship with the affected organization. Nine percent severed the relationship, 12 percent reduced spending and 12 percent no longer trust that organization, according to the report.
When asked who they hold primarily responsible for the privacy and security of their health information, 84 percent of respondents cited either a staff member at the doctor's office by role, or the medical practice as a whole.
Based on work in both health IT and information security, CDW Healthcare identified preliminary steps for healthcare organizations focused on improving their security profile:
Execute an IT security assessment: Many healthcare organizations do not know the current state of their IT security infrastructure. Healthcare organizations need to work with a trusted partner to secure a baseline understanding of what their security profile looks like.
Start with the basics: Notably, 30 percent of physician practices stated that they do not use antivirus software and 34 percent do not use network firewalls. At the absolute minimum, healthcare organizations need to immediately implement steps to meet reasonable security standards.
Protect your investment: As healthcare organizations consider the transition to EHRs, they have the opportunity to implement IT security practices tailored to their tool. This not only protects a sizable investment in technology, but also ensures that as patient data goes digital, security protections are already in place.
Start now, reassess often: IT security is not a one-time fix. Though the EHR transition is a perfect time to initiate tighter IT security controls, all healthcare organizations need to consider their IT security profiles and should consider conducting an assessment at least once a year.