This week's 3 privacy & security developments
This week in health IT, there were three interesting developments all centered around the privacy and security of health data.
EHR vendor Medical Informatics Engineering (MIE) faces a class-action lawsuit in the aftermath of its cyberattack that affected 3.9 million patients. Security experts have been warning that this is the next challenge for healthcare providers—lawsuits in response to data breaches which only increases their costs and does more damage to their reputation.
More than 100 plaintiffs have joined the suit which alleges that MIE did not "take available steps to prevent and stop the breach from ever happening," failed to disclose to its customers material facts related to the breach and provide timely notice of the breach.
A report released this week finds that the records of 94 million patients have been stolen from healthcare entities so far this year.
Conservative think tank American Action Forum (AAF) says that in 2013, 90 percent of hospitals claimed to have a computerized system capable of conducting or reviewing a security risk analysis. However, data breaches and the number of records compromised in each breach are increasing. The numbers indicate a 160 percent increase in the average number of records compromised in a single breach from 2014 to 2015, according to the report.
“Already, more has been spent on responding to security breaches of healthcare records in the first six months of 2015 than the total amount of federal incentives paid through the HITECH Act to make this transition happen,” the report says.
Meanwhile, the Health IT Policy Committee met this week and approved the recommendations from the Privacy & Security Work Group regarding security of big data.
The group encourages the Office of the National Coordinator for Health IT (ONC) and other federal stakeholders to hold more public inquiries to increase understanding. “There is a lot of conversation around privacy but understanding much of the harm we’re trying to prevent still remains elusive,” said Stanley Crosley, of Drinker Biddle & Reath law firm and co-chair of the work group. “It would benefit policymakers to know more about the harms consumers are concerned about and make sure they’re taking steps to address those harms.”
The work group’s recommendations include voluntary codes of conduct, the use of community risk assessment review boards, individuals’ rights to access their data, improving trust and reducing the risk of reidentification and having the Office of Civil Rights be a more active steward of the HIPAA deidentification standards.
Beth Walsh
Clinical Innovation + Technology editor