Since the introduction of the HITECH Act in 2009, the business of protecting patient data has reached a level of critical importance. With severe civil and criminal consequences, HIPAA now has the teeth to punish those who do not protect patient data. Coupled with the mandatory notifications and the public attention breeches have been seeing, facilities are on notice as never before.
With the high cost of health care, medical identity theft is on the rise. Criminals assume the identity of another individual in an effort to claim medical services. In 2011, there were 1.9 million medical identity thefts with an average cost of nearly $21,000. Outside the cost, medical identity theft reduces services for the true patient due to the previous fraudulent service. Additionally medical information for the criminal will make it on the true patient’s medical record possibly affecting the care they later receive. Patients often only find out they are a victim of medical identity theft after receiving collection letters for services they never received, a drop in their credit score, or after noticeable mistakes are discovered in their medical record. Removing these fraudulent services and settling the matter with their insurance carrier can be a costly and difficult task.
Despite the understood critical nature of patient record privacy, hospital information security teams face significant challenges that often leave them in a position of being reactive to security breaches instead of proactively preventing the occurrence of breaches.
Computer security typically does not receive the attention of more visible services. Computer security does not have the buzz or appeal that a new state-of-the-art MRI machine or a new orthopedic surgery center. It does not draw donors nor does it bring in revenue. With a decreased budget, software, equipment, and staff are often underserved.
With limited budgets, staffing is often kept to a minimum. Facilities looking to streamline their human resource costs are more apt to cut non-patient care employees, such as computer technicians.
With a limited budget and a limited staff, comes a very limited amount of time to spend on all technology services. When the MRI machine goes down, routine maintenance comes to a standstill while individuals are routed to the emergent breakdown. The computer technician is often so overwhelmed with fix and break issues, that little to no time is available for computer security assessments designed to locate and remove vulnerabilities.
Medical identity theft is a billion dollar industry in the United States with signs of increasing breaches. Hospital information security teams are under constant threat and face serious consequences should a breech occur. While no system is perfect, a proactive approach to maintaining optimal data security facilitated by an outsourced risk management agency allows facilities to mitigate their vulnerability and reduce breaches that happen through their systems.
The use of an outside risk management consulting agency, such as the NCX Group can allow hospital information security teams with limited budgeting and staffing to succeed in protecting patient records. By utilizing the services of a specialized staff focused only on data risk management, facilities can achieve the level of security necessary to protect data while minimizing staffing and budgetary concerns.
A customized risk assessment coupled with a facility-specific security plan can help ensure that facilities are maintaining the highest level of medical record safety.
Photo Courtesy of Ryan Somma