Health information exchanges increase risk of patient data breach

In an effort to improve efficiency, more and more healthcare organizations are setting up health information exchanges. But many of these exchanges are being launched by inexperienced or understaffed organizations, which increases the risks of a data breach, warned a panel of health care experts assembled by ID Experts, a data breach consulting firm for the healthcare industry.

The cost of a data breach is likely to increase as a result of regulatory penalties and remedial actions. The panel predicted that a “significant" data breach at a major heathcare organization is likely to occur this year that will bring national attention to the problem.

"Endemic failure to keep pace with best practices and advancing technology has resulted in antiquated data security, governance, policy planning in the healthcare industry. Millions of patients are at risk for medical and financial identity fraud due to inadequate information security”, commented panel member Larry Ponemon, chairman of the Ponemon Institute.

This antiquated data security system will heighten patient concern about the security of their medical information, the panel predicted.

"2011 will be the year that Americans recognize they can't control personal health information in health IT systems and data exchanges. Will 2011 be the year that data security and privacy are the top of the nation's agenda? I hope so”, said Deborah Peel, a panel member and founder of Patient Privacy Rights.

The panel warned that the finalization of data breach notification rules by the Department of Health and Human Services this year could remove “harm threshold” provision that determines whether notification is required when a data breach incident occurs. If this threshold is removed, this would create a risk of over notification and desensitization of patients, it added.

"The healthcare industry is on the verge of a major shift. Organizations are venturing into the electronic world for the first time as practices implementing electronic health records and states are launching health information exchanges. A surge of new data will be brought online by a lot of inexperienced organizations fueled by monetary government incentives. Mistakes are a certainty. Combine this with sophisticated approaches to identity theft by organized crime, and breaches will happen. When a breach occurs, the way the organization handles it publicly will be critical”, concluded panel member Ernie Hood, chief information officer of Group Health Cooperative.

What’s Hot on Infosecurity Magazine?