PwC: Healthcare is underprepared to protect patient info

The majority of health organizations are underprepared to protect patient privacy and secure data as new uses for digital health information emerge and access to confidential patient information expands, according to a report released by the Health Research Institute at PriceWaterhousCoopers (PwC).

Old privacy and security controls no longer suffice to comply with existing privacy laws and patient consent agreements, PwC says.  Healthcare organizations need to update practices and adopt a more integrated approach to ensuring that patient information doesn’t fall into the wrong hands.

In its report “Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground,” PwC says existing privacy and security controls have not kept pace with new realities in healthcare: increased access to information in EHRs; greater data collaboration with external partners and business associates; emerging new uses for digital health information to improve the quality and cost of care; and the rise of social media and mobile technology to efficiently manage patient health.

The recent PwC Health Research Institute survey of 600 executives from U.S. hospitals and physician organizations, health insurers and pharmaceutical and life sciences companies found:

• Theft accounted for 66 percent of the reported health data breaches over the past two years. Also, medical identity theft appears to be on the rise. Thirty-six percent of provider organizations (hospitals and physician groups) confirmed that they had experienced patients seeking services using somebody else’s name and identification.
• Fifty-five percent of health organizations have not addressed privacy and security issues associated with the use of mobile devices, and  less than one-quarter have addressed privacy and security implications of social media.
• Fifty-four percent of health organizations surveyed reported at least one issue with information privacy and security over the past two years.
• The most frequently reported issue among providers was improper use of protected health information by an internal party. Over the past two years, 40 percent of providers reported an incident of improper internal use of protected health information.
• The most frequently reported issue among health insurers and pharmaceutical and life science companies was the improper transfer of files containing personal health information to unauthorized parties. Over the past two years, 21 percent pharmaceutical and life sciences companies and 25 percent of health insurers improperly transferred files containing protected health information.

The survey also found:

• More than half of healthcare organizations allow access to social media while at work; less than half have a policy covering the use of social media outside of work.
• Thirty-seven percent of the health organizations surveyed incorporate approved uses of mobile devices and social media as part of company privacy training.
• Only 58 percent of providers and 41 percent of health insurers say they include the appropriate use of EHRs as part of employee privacy training.
• Only 36 percent of health organizations perform a pre-contract assessment of their business associates such as business partners and vendors, and just 26 percent conduct post-contract compliance assessments.

PwC’s research found considerable concern for the “knowledgeable insider.” On average, improper use of personal health information by an internal party was the top privacy/security issue experienced by healthcare organizations over the last two years. Because of a lack of awareness or training, breaches can occur with greater probability from mishandling of paper documents, people talking in the elevator, or comments made via social media.