A majority of health organizations are under-prepared to protect patient privacy and secure data as new uses for digital health information emerge, and access to confidential patient information expands, according to a report by the Health Research Institute at PricewaterhouseCoopers (PwC).
According to the report, existing privacy and security controls have not kept pace with new realities in healthcare, like increased access to information in electronic health records or greater data collaboration with external partners and business associations.
A recent nationwide PwC Health Research Institute survey of 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies found, among other things that theft accounted for 66 percent of total reported health data breaches over the past two years, and medical identity theft appeared to be on the rise. The research also found that there is considerable concern for the ‘knowledgeable insider.’ On average, improper use of personal health information by an internal party was the leading privacy/security issue experienced by healthcare organizations over the last two years.
PwC says, the study revealed that more than half of healthcare organizations allow access to social networking while at work; and less than half have a policy covering the use of social media outside of work.
Digitized health data is becoming one of the most highly valued assets in the health industry, and, according to PwC, all kinds of organizations are now converging around the shared use of the information to enable new care delivery models. Organizations also are discovering the potential in secondary uses of the information beyond treating patients, such as in clinical studies, post-market surveillance of drugs and the development of new products and services. However, while many organizations are sharing information, only a handful have established proper restrictions and consent agreements to control proper access, says PwC.
Peter Harries (principal and co-leader, Health Information Privacy and Security Practice, PwC): To protect patient trust and their own brand reputation, organizations need to go beyond minimum regulatory requirements and adopt an integrated approach that combines privacy, security and compliance within a culture where all employees see themselves as champions of confidentiality and where privacy is part of the patient experience.