Many practices, hospitals don't monitor data security

A quarter of those who responded to a recent survey would not qualify for that aspect of the meaningful use EMR requirements.

By Pamela Lewis Dolan — Posted Nov. 22, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

One requirement for collecting meaningful use incentives is for practices and hospitals to conduct assessments to determine if their data are secure. However, a survey by the Healthcare Information and Management Systems Society finds that many organizations don't perform that task.

The survey of 272 information technology professionals, a quarter of whom work for medical practices, found that 25% had not performed a risk assessment of the protected health information created or maintained by their electronic medical record systems. Of the medical practices surveyed, 33% said they don't conduct a risk analysis, compared with 14% who worked for hospitals.

The survey, in its third year, included a greater representation of medical practices compared with past surveys, because this year's survey, which was sponsored by Intel, also was supported by the Medical Group Management Assn.

Meaningful use incentives grew out of the 2009 economic stimulus package. Meaningful use rules laid out criteria eligible hospitals and physicians must follow to qualify for incentive money. Those criteria include a requirement that health care organizations conduct a data security risk analysis of their EMR systems. The organizations must identify deficiencies and implement necessary updates and changes.

"As the survey results indicate, one-quarter of the sample population would not qualify for meaningful use incentives based on not having a process to conduct risk analyses," said Lisa Gallagher, senior director of privacy and security for HIMSS. "With almost 80% of respondents indicating that they would share electronically stored data outside of their organizations, health care organizations must ensure that proper security protections are operative and based on an ongoing risk analysis process."

A separate study tried to make the financial case that the costs of not ensuring an EMR's security can go well beyond what a practice would lose by not qualifying for meaningful use -- a maximum of $44,000 over five years from Medicare, or nearly $64,000 over six years from Medicaid.

The Ponemon Institute published a study on Nov. 9 that looked at how hospitals protect patient data and how they deal with breaches and data loss. The study measured the economic consequences associated with data loss and estimated that breaches cost U.S. hospitals nearly $6 billion a year.

Larry Ponemon, chair and founder of the Ponemon Institute, said many of the largest organizations interviewed for the study have fewer than two people on staff dedicated to data protection. Many small organizations don't have a dedicated information technology staff.

Rick Kam, president and co-founder of ID Experts, a Portland, Ore., data breach protection and response firm that commissioned the Ponemon study, said a proper risk assessment for a small practice of less than 10 physicians could range from $5,000 to $20,000.

But most practices don't understand the risk they are taking by not making that investment, he said.

A recent Harris Poll found that the chances of losing a patient after a data breach are high. Harris polled more than 1,000 adults by phone in September and found that 91% would not return to a business if their personal information were stolen.

"This research confirms that poor document management practices can significantly damage a business's reputation and discourage once-loyal customers from ever returning," said Gail Cunningham, a spokeswoman for the National Foundation for Credit Counseling. "It could also discourage potential customers from everentering."

For a hospital, Ponemon said, a patient's decision to take his or her business elsewhere represents a loss of $107,580 over the patient's lifetime. That cost does not include how much facilities would need to spend on patient notification and credit protection after a breach.

"Clearly, the data breach issue is a big issue, and it's costing health care organizations, we extrapolate, potentially billions of dollars," Ponemon said. "So it's a serious problem, and it's a problem that doesn't seem to be going away -- at least in the near term."

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn