In one scenario used to demonstrate the model, the authors hypothesized about an unintentional breach of 845,000 records that led to an incident of clinical fraud resulting in one patient's death. For an organization with $242 million in claims revenue, the breach would cost nearly $25.5 million, according to the authors. With probabilities taken into consideration, the scenario produced an annualized loss expectancy of $5.2 million.
Health information technology provides increased access to patients' individually identifiable medical records, the report's authors state. But with "multiple and more expansive databases in numerous locations," more people have access to protected health information, or PHI, as defined in the Health Insurance Portability and Accountability Act of 1996. This in turn offers "many more opportunities for this information to be accidentally or intentionally disclosed, lost or stolen," according to the authors.
A survey circulated to more than 100 PHI project participants, including providers, payers, consultants and other "subject-matter experts," revealed "somewhat conflicting insights as to the effectiveness and management support of current privacy programs," the report said.
On one hand, 75% of survey respondents said they agreed or strongly agreed with the statement, "We have effective policies to protect PHI," and 76% agreed or strongly agreed their organization has taken "effective steps to comply."
However, 28% of those surveyed said they disagreed or strongly disagreed and 11% were "neutral" with the statement, "Management views privacy and security as a priority." Meanwhile, 32% disagreed or strongly disagreed and 22% were neutral in response to the statement, "We possess sufficient resources to ensure that requirements are currently being met."
Most (59%) of these respondents, when asked to name the most significant impediment their organizations faced in maintaining a strong privacy and security posture, said a lack of funding. Also cited were insufficient time (40%) and lack of senior executive support (32%).
Regarding most likely threats to PHI security, 85% of respondents indicated an insider was the "most likely" or a "very likely" threat, but 76% also indicated that malware infestation was a very likely or likely threat.
"The survey responses revealed that the majority of participants want to comply and secure PHI, but they believe that budgetary constraints and the lack of executive commitment, leadership and accountability as well as the evolving nature of threats and the technologies available to protect PHI, combine to make real protection of health information very challenging," the authors concluded.