Report spotlights data-breach costs, concerns

A new report by a task force of data privacy and security experts warns that although federal health information technology incentive payment programs have promoted the use of electronic health-record systems, efforts to promote digital security and maintain data integrity have not kept pace.

The 67-page report, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security," was released Monday morning. It is a product of the PHI Project—a coalition led by the American National Standards Institute and its Identity Theft Prevention and Identity Management Standards Panel, consultant Santa Fe Group and the Internet Security Alliance, an industry trade association.

The report authors came up with a complex risk-quantification formula that takes into account multiple cost factors associated with a medical records breach, including legal costs from government enforcement actions as well as civil lawsuits, clinical ramifications, such as fraudulent claims being processed, various administrative issues, such as the cost of media relations, identity theft monitoring and developing a corrective action plan, and the cost of reputation damage.

In one scenario used to demonstrate the model, the authors hypothesized about an unintentional breach of 845,000 records that led to an incident of clinical fraud resulting in one patient's death. For an organization with $242 million in claims revenue, the breach would cost nearly $25.5 million, according to the authors. With probabilities taken into consideration, the scenario produced an annualized loss expectancy of $5.2 million.

Health information technology provides increased access to patients' individually identifiable medical records, the report's authors state. But with "multiple and more expansive databases in numerous locations," more people have access to protected health information, or PHI, as defined in the Health Insurance Portability and Accountability Act of 1996. This in turn offers "many more opportunities for this information to be accidentally or intentionally disclosed, lost or stolen," according to the authors.

A survey circulated to more than 100 PHI project participants, including providers, payers, consultants and other "subject-matter experts," revealed "somewhat conflicting insights as to the effectiveness and management support of current privacy programs," the report said.

On one hand, 75% of survey respondents said they agreed or strongly agreed with the statement, "We have effective policies to protect PHI," and 76% agreed or strongly agreed their organization has taken "effective steps to comply."

However, 28% of those surveyed said they disagreed or strongly disagreed and 11% were "neutral" with the statement, "Management views privacy and security as a priority." Meanwhile, 32% disagreed or strongly disagreed and 22% were neutral in response to the statement, "We possess sufficient resources to ensure that requirements are currently being met."

Most (59%) of these respondents, when asked to name the most significant impediment their organizations faced in maintaining a strong privacy and security posture, said a lack of funding. Also cited were insufficient time (40%) and lack of senior executive support (32%).

Regarding most likely threats to PHI security, 85% of respondents indicated an insider was the "most likely" or a "very likely" threat, but 76% also indicated that malware infestation was a very likely or likely threat.

"The survey responses revealed that the majority of participants want to comply and secure PHI, but they believe that budgetary constraints and the lack of executive commitment, leadership and accountability as well as the evolving nature of threats and the technologies available to protect PHI, combine to make real protection of health information very challenging," the authors concluded.