Despite the lack of widespread adoption, integrated security procedures can reduce the risk of unauthorized access to sensitive data, according to a report that was published by consultancy firm PricewaterhouseCoopers (PwC).
Historically, the privacy of patient health data has been the responsibility of compliance departments in healthcare organizations, whereas data security has been traditionally handled by IT departments. According to the PwC report, healthcare providers, medical informatics vendors and healthcare IT professionals must work together to ensure that sensitive information is adequately protected, and that procedures are in place to minimize the risks of illegal access of information.
“Most [data security] breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error – loss of a computer or device, lack of knowledge, or unintended unauthorized disclosure,” James Koenig, director of PwC’s health information privacy and security practice, told Information Week. “Healthcare organizations that had used an integrated approach had experienced 10 percent fewer privacy and security incidents in the past two years.”
The security of patient and other sensitive healthcare information has become the focus of increasing scrutiny at the legislative and policy level in recent years. The Office for Civil Rights (OCR) at the Department of Health and Human Services has begun investigating and auditing healthcare providers much more proactively for compliance with the Health Insurance Portability and Accountability Act of 1996.
Of the 600 healthcare facilities that participated in the PwC study, more than 70 percent of providers said that they had devoted increased resources to security and privacy in response to heightened regulatory and enforcement action by governing bodies such as the OCR.