Report Examines Privacy, Security Risks in Patient Health Data
A new report, "Privacy
and Security in Health Care: A Fresh Look," released by the Deloitte Center for Health Solutions, identifies
the risks associated with privacy and security breaches in healthcare. The
report offers guidance to help minimize potential privacy and security threats
as health reform drives increased exchange of online health information.
"As the healthcare industry transitions to widespread adoption of electronic
health records, clinical data warehousing, home monitoring and remote medicine,
there may be greater probability of data breaches, potentially resulting in
data fraud and medical identity theft," said Paul
Keckley, executive director of the Deloitte Center for Health Solutions.
"Medical fraud is a serious issue, and 67 percent of consumers we polled
believe fraud has a major influence on driving up the overall cost of
The Deloitte report identifies some of the reasons why preparedness for
privacy and security risk is inadequate at some health care organizations,
including lack of internal resources (human resources and capital); lack of
internal control over patient information; lack of upper management support;
outdated policies and procedures or non-adherence to existing ones; and
inadequate personnel training.
"The cost of a security breach can be damaging not only to a company's
bottom line, but also to the reputation of its brand," added Russ Rudish, Deloitte’s vice chairman. "As
healthcare organizations adopt new technologies that leverage health
information, it is also imperative that they conduct a senior management-led,
board-approved audit of privacy and security risk, and plan to make
enhancements in support of current policies, rules and regulations."
Privacy and security regulations have historically focused on internal
security processes, however in the new normal, culpability has been expanded to
downstream entities. As healthcare delivery transitions to performance-based
compensation, increased transparency, and increased use of electronic health records
(EHRs) and personal health records (PHRs), new privacy and security rules,
regulations, laws and standards will be added in each sector. To address the
challenge of protecting against potential privacy and security breaches in the
new era of health reform, Deloitte's report outlines a basic approach for
healthcare industry stakeholders to assess their preparedness across three key
- Risk Management – Help
identify and assess data security risks to develop appropriate security
controls to mitigate or avoid risk. This allows healthcare
organizations to make informed decisions on how to allocate security
resources to improve data protection.
- Security and Privacy
Program – Develop and implement policies, procedures and training
needs to mitigate or avoid risk. This helps create a baseline for
standards to secure handling of sensitive patient information and
awareness of privacy and security procedures across the organization.
- Compliance – Verify
organization conformance to its policies and standards. This helps reduce
organizational risk; creates customer trust and confidence in an
organization's protection of personal health information; and reduces
potential for financial penalties due to reasonable cause or willful
Reflecting the importance of safeguarding consumers' personal health
information, the Deloitte Center for Health Solutions 2010 Consumer Survey
found that while more than half (57 percent) of consumers want access to an
online PHR connected to their doctor's office, one-third (33 percent) are concerned
about privacy and security of an online PHR.
"Healthcare industry stakeholders should act now to prevent
compromising sensitive patient data, preserve brand value and avoid substantial
financial penalties for violations," concluded Keckley. "By building
in technology to prevent, monitor and remedy data breaches and setting aside
operating funds to implement safeguards, the health care industry can confront
and contain this growing challenge while also addressing the needs of their
patients to help improve the quality of care."