Many practices, hospitals don't monitor data security
■ A quarter of those who responded to a recent survey would not qualify for that aspect of the meaningful use EMR requirements.
By Pamela Lewis Dolan — Posted Nov. 22, 2010
- WITH THIS STORY:
- » Related content
One requirement for collecting meaningful use incentives is for practices and hospitals to conduct assessments to determine if their data are secure. However, a survey by the Healthcare Information and Management Systems Society finds that many organizations don't perform that task.
The survey of 272 information technology professionals, a quarter of whom work for medical practices, found that 25% had not performed a risk assessment of the protected health information created or maintained by their electronic medical record systems. Of the medical practices surveyed, 33% said they don't conduct a risk analysis, compared with 14% who worked for hospitals.
The survey, in its third year, included a greater representation of medical practices compared with past surveys, because this year's survey, which was sponsored by Intel, also was supported by the Medical Group Management Assn.
Meaningful use incentives grew out of the 2009 economic stimulus package. Meaningful use rules laid out criteria eligible hospitals and physicians must follow to qualify for incentive money. Those criteria include a requirement that health care organizations conduct a data security risk analysis of their EMR systems. The organizations must identify deficiencies and implement necessary updates and changes.
"As the survey results indicate, one-quarter of the sample population would not qualify for meaningful use incentives based on not having a process to conduct risk analyses," said Lisa Gallagher, senior director of privacy and security for HIMSS. "With almost 80% of respondents indicating that they would share electronically stored data outside of their organizations, health care organizations must ensure that proper security protections are operative and based on an ongoing risk analysis process."
A separate study tried to make the financial case that the costs of not ensuring an EMR's security can go well beyond what a practice would lose by not qualifying for meaningful use -- a maximum of $44,000 over five years from Medicare, or nearly $64,000 over six years from Medicaid.
The Ponemon Institute published a study on Nov. 9 that looked at how hospitals protect patient data and how they deal with breaches and data loss. The study measured the economic consequences associated with data loss and estimated that breaches cost U.S. hospitals nearly $6 billion a year.
Larry Ponemon, chair and founder of the Ponemon Institute, said many of the largest organizations interviewed for the study have fewer than two people on staff dedicated to data protection. Many small organizations don't have a dedicated information technology staff.
Rick Kam, president and co-founder of ID Experts, a Portland, Ore., data breach protection and response firm that commissioned the Ponemon study, said a proper risk assessment for a small practice of less than 10 physicians could range from $5,000 to $20,000.
But most practices don't understand the risk they are taking by not making that investment, he said.
A recent Harris Poll found that the chances of losing a patient after a data breach are high. Harris polled more than 1,000 adults by phone in September and found that 91% would not return to a business if their personal information were stolen.
"This research confirms that poor document management practices can significantly damage a business's reputation and discourage once-loyal customers from ever returning," said Gail Cunningham, a spokeswoman for the National Foundation for Credit Counseling. "It could also discourage potential customers from everentering."
For a hospital, Ponemon said, a patient's decision to take his or her business elsewhere represents a loss of $107,580 over the patient's lifetime. That cost does not include how much facilities would need to spend on patient notification and credit protection after a breach.
"Clearly, the data breach issue is a big issue, and it's costing health care organizations, we extrapolate, potentially billions of dollars," Ponemon said. "So it's a serious problem, and it's a problem that doesn't seem to be going away -- at least in the near term."