Patient data is at risk: Do you call IT?

Patient data maintained by hospitals represents a potential playground for anyone with an inclination toward fraud and theft. There are names, birth dates, Social Security numbers, insurance policy information, and banking and credit card information floating through every hospital's cyber-halls. Because most of this data is stored in some type of electronic format, many CFOs think that the IT department should handle data security and don't realize that the issue falls under their purview. However, the report, "The Financial Management of Cyber Risk: An Implementation Framework for CFOs," from the Internet Security Alliance and the American National Standards Institute makes clear that financial professionals are in a prime position to provide the facility-wide strategic leadership required to secure patient data.

The passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) and the release of the so-called Red Flags Rule have recently strengthened the data privacy and security regulations included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Yet more than 110 healthcare organizations have reported losing sensitive personal identifying information (PII) and protected health information (PHI)  since January 2008, affecting more than 5.3 million individuals, according to the "2010 HIMSS Analytics Report: Security of Patient Data" commissioned by Nashville, Tenn.-based Kroll's Fraud Solutions.

And the number of reportable data breaches is growing fast. A website maintained by the Office of Civil Rights of the Department of Health and Human Services lists 23 healthcare data breaches affecting 500 or more individuals from Jan. 1 through March 11 of this year. How many smaller data breaches hospitals have experienced is anyone's guess.

Almost two-thirds of the 2010 HIMSS survey respondents (66 percent) indicated that their data breaches resulted from unauthorized access by someone who was employed by the facility when the breach occurred. Wrongful access of paper-based patient data came in second at 33 percent. Only 11 percent of respondents said data breaches occurred due to the loss or theft of a laptop, handheld device or computer hard drive.

The potential financial penalties related to data breaches can be severe, topping $1 million in some cases. And patient satisfaction can definitely take a nosedive when their financial lives are put at risk.

Almost all facilities (98 percent of respondents) have policies to report patient data breaches, and 87 percent have policies that require monitoring of patient information access and sharing, says HIMSS.

To me, these statistics suggest that the problem can't be solved by technological bells and whistles alone. Staff members across the board need to get involved. Hospitals nationwide are working to establish a culture of patient safety from a clinical perspective. It's past time for CFOs to lead the way toward extending that safety to patient data and establishing a culture of patient data security as well. - Caralyn