A Review of the 2008 HIMSS Analytics Report: Security of Patient Data

APRPEH ^ | 3 Nissan 5768/8 April 2008 | APRPEH

[APRPEH]

HIMSS Analytics (short for Healthcare Information and Management Systems Society); a “think-tank” for the healthcare management world has just released the 2008 HIMSS Analytics Report: Security of Patient Data. release info.

This report examines the security of patient personal identifying information (PII) and protected health information (PHI). In the current data breach crazy world, this is a timely report which tries to get beneath the surface of the needs of health professionals to balance quick access to secure patient health records and the need to protect not only patient privacy but prevent access to information which could lead to identity theft.

In discussing PHI and PII it is important to first establish a fact. Unauthorized access to PII no matter where it may be found could lead to identity theft. Unauthorized access to PHI alone, will not lead to financial identity theft in most cases. It could be used to help a fraudster identify a possible victim by placing the consumer/victim in a particular location and may give the fraudster a hint as to vulnerabilities of the consumer. It is also unlikely to result in medical identity theft. In terms of useful information needed to perpetrate identity theft, the date of birth and Social Security Number are far more valuable than PHI. A consumer may feel that their privacy has been violated when PHI has been exposed but unless PII is included in the breached data, the patient is only marginally more likely to be exposed to identity theft than other non-breached consumers.

[APRPEH]

This study discusses the how patient information is protected and how it is vulnerable in American health care facilities. (hint) the problems identified are not addressed affectively by the solutions that have been implemented. more here

[APRPEH]

they are not addressed effectively either.

[Moose4]

I now work on the IT side of Big Pharma, and let me tell you, people around here are scared poopless about keeping PII under wraps. Our test data is scrambled and sanitized like you wouldn’t believe, and I see radical system changes get made just to keep the transmission of PII over unsecured networks (Internet, mainly) to an absolute minimum.

There’s always a danger, especially with so much offshoring, but healthcare companies do take this seriously. They’ve got to. If they let PII slip out, they know the size of the crapstorm that’s going to result and the financial hit they will take from the lawsuits.

}:-)4

[APRPEH]

the report (IMHO) seems to imply the IT side of security is pretty strong. Where the problem seems to be is keeping information available to health care workers as needed and still protecting it once it has been retrieved and out of IT control system controls.