Traditionally, privacy of Personal Health Information (PHI) has been largely managed by using password/username–based access control lists. Personnel are entrusted with the passwords as they extract data and then clean, modify, de-identify, and analyse the information. As a result, today, organizations rely on their employee’s best judgement to safeguard information. This method is somewhat effective, but far from excellent. Employee error is the top security threat for 75% of healthcare organizations (HCOs) in the US, according to the Ponemon Institute’s Patient Privacy and Data Security report published in March 2014 .
To try to safeguard against employee error, HCOs use mechanisms such as limiting access to information and having employees sign privacy policies. Even so, an average of 236 major data breaches affecting 500 or more people is reported every year, and over 21,000 smaller breaches were reported in 2012 alone . Health insurer Anthem Inc, the second largest health insurer in the United States, in February reported its “recent cyber breach involving 80 million people could result in “significant” expenses that its cybersecurity insurance policy may not fully cover” .
Change is clearly needed. The US healthcare industry has felt the effect of data breaches, an economic impact that has amounted to as much as $5.6 billion a year. Over a two year period, the average cost for healthcare organizations in 2014 was estimated at $2 million . Each data breach can range from less than $10,000 in costs to over $1 million. More than ever, healthcare organizations need data governance and privacy controls that go beyond business-as-usual mechanisms.
Privacy? or Access?
As the cost and risks of breaches rise, organizations are being driven to restrict the use of patient data, even though keeping data under lock and key can compromise treatment and affect business competitiveness. Doctors, nurses, and researchers need access to data to provide evidence-based treatment, as well as administrators who need operational data to make decisions about resource allocation. No HCO wants to see scenarios, even with privacy concerns, where patients suffer or die as a result of vital information being withheld due to policy.
Privacy – and Access
How does a healthcare organization make effective use of patient information and provide evidence-based treatment, while protecting the patient’s privacy? Current methods of protection and governance must be taken to a new level in order to provide access to legitimate users while safeguarding confidential information. A next-generation privacy and governance model should include the following:
- Privacy from the ground up: Personal data must be protected throughout its lifecycle. Aggregation, storage, usage, and the destruction of data should all be governed internally and automatically. A system can prevent the export of personal health information by automatically de-identifying patient information, protecting it at all times through governing privacy rules. Governing policies should effectively anticipate and prevent privacy breaches from occurring.
- Role-based access: Different users need different levels of access. A clinician should have access to all the information of the patient he is treating. A researcher, however, may only need to see non-identifiable (does not provide any identity) or de-identifiable (identity omitted) information. A system should be flexible enough to allow these varying degrees of access. A system that bases access on user roles, with attribute-based access control mechanisms, can display information to fit the particular requisite of each user. This protects patient information, and at the same time gives researchers and other users the crucial data they need.
- Audit logs: HCOs need transparency and accountability. Audit logs record who used what data when and where, which detects questionable use and prevents privacy breaches.
- Data sharing agreement: Privacy policies should be fast and easy to implement by data stewards responsible for implementing governance rules. Rules based on types of data and users should be simple to establish and maintain.
Clear organizational commitment to improving privacy is the first step in preventing data breaches. The second, though, is selecting technology platforms that support the organization’s governance model.
Click here to see how PHEMI uses a unique Privacy By Design architecture in its powerful big data warehouse – PHEMI Central
- Ponemon Institute. (2014, March) Fourth Annual Benchmark Study on Patient Privacy & Data Security. Retrieved from http://www2.idexpertscorp.com/ponemon-report-on-patient-privacy-data-security-incidents/
- S. Department of Health and Human Services. Annual Report to Congress on Breaches of Unsecured Protected Health Information. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf
- Herman, Bob. “Anthem breach costs could surpass its insurance coverage.” Modern Healthcare. Retrieved from http://www.modernhealthcare.com/article/20150224/NEWS/150229954/anthem-breach-costs-could-surpass-its-insurance-coverage