Many health care organizations lack sufficient resources to adopt strong privacy and security protections for patient data, according to a report by a coalition of health care and data security groups, Modern Healthcare reports (Conn, Modern Healthcare, 3/5).
About the Report
The coalition includes the:
- American National Standards Institute;
- Internet Security Alliance; and
- Santa Fe Group (Goedert, Health Data Management, 3/5).
For the report, researchers surveyed more than 100 health care industry executives from more than 70 organizations about how their organizations handle protected health information, also called PHI (ANSI release, 3/5).
Researchers found that:
- 76% of survey respondents said their organization has taken "effective steps" to protect PHI; and
- 75% said they agree or strongly agree with the statement, "We have effective policies to protect PHI."
However, the survey also found that:
- 32% of respondents said they disagreed or strongly disagreed with the statement, "We possess sufficient resources to ensure that [PHI privacy and security] requirements are currently being met;" and
- 28% of respondents said they disagreed or strongly disagreed with the statement, "Management views privacy and security as a priority."
When asked to name the most significant challenges preventing their organizations from ensuring the privacy and security of PHI:
- 59% of respondents cited a lack of funding (Modern Healthcare, 3/5);
- 40% cited a lack of time; and
- 32% cited insufficient executive support (Strohm, Bloomberg, 3/5).
Method for Evaluating Data Security Risks
The report also describes a five-step method for evaluating health data security risks.
The method, called the PHI Value Estimator, or PHIve, aims to help organizations:
- Estimate the potential costs of a data breach; and
- Determine the amount of investment necessary to strengthen privacy and security protections and reduce the likelihood of a data breach (Monegain, Healthcare IT News, 3/5).