Deloitte Report Highlights Data Privacy and Security Issues in Health Care Industry
The report emphasizes on developing adequate security controls, framing security policies and procedures, employee training and compliance management.
Recently, Deloitte released a report on privacy and security issues for United States (U.S) health care industry. According to the report, the adoption of IT has resulted in more number of electronic footprints in the form of electronic storage of personal health records, clinical warehousing a home monitoring and distance medicine. The past few years have witnessed emergence of e-prescriptions, billing of medical claims, electronic health records and use of social media sites for information exchange,online training and medical advice. While these developments have revolutionized the health care industry, they provide more opportunities for unscrupulous elements to breach security and steal personal health information. Gaps in the legislation with respect to coverage of business associates of health service providers have also allowed scope for data breaches.
Health care organizations are bound by the health information privacy rules of the Health Insurance Portability and Accountability Act (HIPAA). Interim breach notification rule issued in 2009 requires organizations to report breach of unsecured protection health information to the affected individuals and Secretary of the Department of Health and Human Services (HHS). In case the breach affects more than 500 patients of a state, the concerned health care organizations have to report breach to the media not later than 60 days from the security breach.
The Deloitte report indicates that data breach has affected around seven million patients after the enactment of the breach notification rule. Majority of the breaches have been caused by theft followed by loss, unauthorized access, improper disposal and intrusion. Laptops were the major source of breach in terms of location of the breach followed by paper records and films, desktop computers and portable electronic devices. Leakage of sensitive information such as credit card details, medical history, contact addresses, date of birth, insurance claim information and social security numbers may result in identity theft. Data breach may also cause intellectual property rights issue for life sciences organizations.
Lack of proper control and monitoring system, poor implementation of IT security policy and lack of security awareness expands the scope for data breach. Deloitte emphasizes on implementation of risk management strategy to develop adequate security controls, creating standards for secure handling of sensitive patient information, employee training and effective compliance management. Internet security awareness education may help employees in understanding different types of threats and implications of a security breach. Mandatory e-learning programs and regular webinars may be used to create security awareness among employees and help organizations in reducing security breaches.
Adherence to security fundamentals may help individuals and organizations on ensuring security of personal health information. Health service providers and regulatory authorities must guide patients on proper usage of personal health information. Users must be wary of sharing information regarding personal medical history online.
EC-Council is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.
EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted security conferences.
Tag Words: health care industry, health information, data breach, security fundamentals, privacy, security, hipaa, hhs, security awareness, compliance