Healthcare News & Insights

Survey: Health IT security not a priority for management

Breaches of electronic protected health information are becoming more common, and the costs can be devastating. However, a recent report says many healthcare organizations aren’t giving security the priority it deserves. 

Over the past two years, more than 18 million Americans have had their electronic protected health information stolen. That’s the word from a new report, “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security,” published by the American National Standards Institute (ANSI).

The report was put together by the PHI Project, a coalition led by the ANSI’s Identity Theft Protection and Identity Management Standards Panel, consulting firm Santa Fe Group and the Internet Security Alliance. Research included a survey of more than 100 providers, payers and other healthcare organizations.

Health information is at a high risk of being breached, the group says, because as more healthcare technology is being adopted due to its benefits for cost and quality of care, health IT security regulations and practices haven’t kept pace.

One problem: Management doesn’t always see protecting patient information as a top concern. When asked how much they agreed with the statement, “Management views privacy and security as a priority,” 28% of respondents disagreed and 11% were neutral.

That mixed perception of security shows up in how budgets are allocated, too, as fewer than half of healthcare organizations said they’re given the right resources to make sure security requirements are met. Nearly 60% said a lack of funding was the biggest obstacle to improving their health IT security.

One way to try and turn things around: Show management how much a data breach can cost an organization. Because according to the report, it’s a lot.

Though the legal repercussions are steep if protected health information is exposed, those aren’t the only costs organizations will face after a breach. According to the report, the full cost of a health data breach includes:

  1. Financial repercussions, such as the immediate costs of dealing with the breach and notifying affected individuals, increased insurance costs, the cost of changing vendors, if necessary, and lost productivity as the organization deals with the breach
  2. Legal ramifications, including fines and penalties from state and federal organizations, potential lawsuits and legal fees, and the cost of a reinstatement of accreditation, if necessary
  3. Reputational damages, such as a loss of current or potential patients, loss of strategic partners, and increased turnover or difficulty recruiting staff
  4. Operational repercussions, including the potential costs of recruiting and training new hires, and the costs of reorganization to prevent future breaches, and
  5. Clinical issues, including the costs of fraudulent claims that may be processed, delayed or inaccurate diagnoses, and possibly bad or missing data in electronic records.

The report gives one example of a hypothetical breach involving 845,000 patient records and leading to an incident of clinical fraud that results in one patient’s death. The final tally after all those estimated costs were added up: $25.5 million.

The PHI Project recommends healthcare organizations conduct their own assessments by adding estimates of those costs and using that to determine how much to invest in IT security.

For more information on calculating the potential costs of a health data breach, download the report here (free registration required).

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.