Deloitte Report Highlights Data Privacy And Security Issues In Health Care Industry

By Author: iClass
Total Articles: 211
Comment this article

Industries across domains have embraced information technology (IT) in their operations. The transnational nature of business has made it inevitable for organizations to implement IT in all their routine and major operations. IT not only helps in improving productivity of organizations but also ensures timely communication of information, necessary for survival of business in the prevailing competitive scenario. Like other industries, health care industry is also leveraging IT to streamline operations and enhance service quality. However, the use of electronic channels also poses risks in the form of data and security breach. Loss of confidential patient data has legal, financial and reputational implications for health care service providers.

Recently, Deloitte released a report on privacy and security issues for United States (U.S) health care industry. According to the report, the adoption of IT has resulted in more number of electronic footprints in the form of electronic storage of personal health records, clinical warehousing a home monitoring and distance medicine. The past few years have witnessed emergence of ...
... e-prescriptions, billing of medical claims, electronic health records and use of social media sites for information exchange, online training and medical advice. While these developments have revolutionized the health care industry, they provide more opportunities for unscrupulous elements to breach security and steal personal health information. Gaps in the legislation with respect to coverage of business associates of health service providers have also allowed scope for data breaches.

Health care organizations are bound by the health information privacy rules of the Health Insurance Portability and Accountability Act (HIPAA). Interim breach notification rule issued in 2009 requires organizations to report breach of unsecured protection health information to the affected individuals and Secretary of the Department of Health and Human Services (HHS). In case the breach affects more than 500 patients of a state, the concerned health care organizations have to report breach to the media not later than 60 days from the security breach.

The Deloitte report indicates that data breach has affected around seven million patients after the enactment of the breach notification rule. Majority of the breaches have been caused by theft followed by loss, unauthorized access, improper disposal and intrusion. Laptops were the major source of breach in terms of location of the breach followed by paper records and films, desktop computers and portable electronic devices. Leakage of sensitive information such as credit card details, medical history, contact addresses, date of birth, insurance claim information and social security numbers may result in identity theft. Data breach may also cause intellectual property rights issue for life sciences organizations.

Lack of proper control and monitoring system, poor implementation of IT security policy and lack of security awareness expands the scope for data breach. Deloitte emphasizes on implementation of risk management strategy to develop adequate security controls, creating standards for secure handling of sensitive patient information, employee training and effective compliance management. Internet security awareness education may help employees in understanding different types of threats and implications of a security breach. Mandatory e-learning programs and regular webinars may be used to create security awareness among employees and help organizations in reducing security breaches.

Adherence to security fundamentals may help individuals and organizations on ensuring security of personal health information. Health service providers and regulatory authorities must guide patients on proper usage of personal health information. Users must be wary of sharing information regarding personal medical history online.