More than half of healthcare organizations surveyed had not addressed privacy and security issues associated with the use of mobile devices, and less than one-quarter had addressed privacy and security implications of social media, according to a survey of 600 healthcare organizations. Yet, more than half of organizations surveyed allow access to social networking while at work.
Only 37% of health organizations surveyed incorporated approved uses of mobile devices and social media as part of privacy training.
Also, nearly 70% of healthcare organizations said they are or would be using patient information for secondary uses beyond healthcare, such as for outcomes-based research, patient care improvements, cost effectiveness research, or home-based healthcare.
“When we asked the same group of people, ‘Have you addressed the privacy and security implications of these new and interesting uses?’, only half said they had….The privacy and security safeguards that are needed to address these new uses and technologies may not have kept pace” with the drive to expand patient information uses, said James Koenig, director of PwC’s information privacy and security practice.
The survey also found that only 17% of providers, 19% of payers, and 22% of pharmaceutical/life sciences companies had a process in place to manage patients' consent for how their information can be used.
Sixty-one percent of pharmaceutical and life sciences companies, 40% of health insurers, and 38% of providers currently share information externally. Of those organizations that share data externally, only 43% of pharmaceutical and life sciences companies, 25% of insurers, and 26% of providers have identified contractual, policy, or legal restrictions on how the data can be used.
In addition, PwC found that 73% of patient data breaches are related to electronic-based information. Theft accounted for 66% of reported health data breaches over the past two years.
“When we looked at the breaches themselves, 54% of the healthcare organizations said that they had experienced privacy and security issues in the last two years, which was ahead of where we anticipated. But when we asked them what were the causes of the incidents, the largest area was the improper use of patient information by internal parties”, Koenig told Infosecurity.
During the past two years, 40% of providers reported an incident of improper internal use of protected health information.
Over one-third of healthcare organizations confirmed that they had experienced patients seeking services using somebody else's name and identification. “This is direct support for medical identity theft”, Koenig observed.