The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month.  This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions.

These include:

- Customer/patient/client churn rate, the tendency for a data breach event to cause them to “vote with their feet” and choose another provider, remains the key cost driver for data breach incidents. Such lost customer costs are typically 2/3rds the cost of a data breach. Industries that exhibit the highest churn rates are healthcare, pharmaceuticals and communications (all 6%).

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

-  “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security,  legal and financial officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI, especially the CISOs who are most frequently the organizational members responsible for the handling of data breach incidents.

One of the panels at the Consumer Electronics Show Digital Health Summit is asking a really interesting question: Who will you trust with your health data? As described in an article in Healthcare IT News on healthcare data privacy and security, there have been numerous data breach incidents over recent years who sensitive patient information has been inappropriately disclosed.

“In 2009, PrivacyRights.org reports that there were 46 breaches of PHI representing nearly 80M records.  Note that 76M of those records were from the VA that inadvertently sent one of its RAID drives out for repair without cleansing it of those 76M records of veterans.  If you can’t trust the government to keep your PHI safe, who can you trust?”

Now I must admit, I would never have suggested that it is reasonable to assume that the government is good at maintaining privacy of personal information that they collect on American citizens. But it is reasonable to assume that as more protected health information (PHI) is collected, stored, shared and manipulated in computer systems at healthcare providers and payors, that the risk of exposure, and the subsequent number of data breach incidents, will rise.

So it really does make for an interesting thought, do I trust my doctor and hospital with my health data? Do I trust my health insurer with my health data? How about my pharmacy? Like it or not, I don’t have much choice but to provide them with or allow them to access my PHI.

But I do have a choice as to whether I should entrust Microsoft or Google with this sensitive information. Both companies have built systems “in the cloud” that allow consumers to centralize their personal health history. Microsoft HealthVault is designed to let us “collect, store, and share health information critical to our family’s well-being” and Google Health allows us to “organize our health information all in one place, gather our medical records from doctors, hospitals, and pharmacies, and share our information securely with a family member, doctors or caregiver.”

Microsoft has made HealthVault quite “open”,enabling organizations such as providers, payors, pharmacies and others to create applications for individuals to import information that they hold on us into our HealthVault account. I setup a HealthVault account, to see how this worked. Unfortunately, neither my national pharmacy chain nor my health insurer were on the list of those who make such information “exportable” to HealthVault.

Assuming that my trusted providers, insurer and pharmacy do provide such export capabilities in the future, it still leaves me with a nagging concern: do I really trust Microsoft to hold my entire medical life history? While I’d love to have all of this information in one place, and to be able to make it available to healthcare providers that I may wantto see in the future, the thought of entrusting this to anyone is daunting, not the least of which a company who’s software is a constant target for viruses, worms and malware of all kinds.

So for now, I probably won’t start trusting my medical history to either Microsoft or Google.  My health data will be remain somewhat safe with doctors, an insurer and a pharmacy, and numerous business associates of their that I don’t even know by name, that I hope I can trust. But given the number and scope of data breaches the last year or so in healthcare, I’m not really feeling very confident about my healthcare data privacy at this moment.

Thanks to Healthcare Professionals Live for highlighting this article and the important questions it highlights.

…I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR… (continue reading)

Since the HITECH Act data breach notification provisions became effective this past September 23, 2009, I’d recently become curious about the number and nature of data breaches that would start to appear on the website at the Department of Health and Human Services (HHS).

The HHS Rules require healthcare organizations (specifically HIPAA covered entities) to report to HHS any data breach incidents that have affected over 500 individuals, shortly after the breach is discovered.  I noticed that the Identity Theft Resource Center (ITRC) 2009 ITRC Breach Report, a terrific compendium of public information from numerous sources on data breach incidents, had captured numerous healthcare data breaches since the September 23rd effective date. And of course there have been several very high profile healthcare data breaches recently including the Blue Cross Blue Shield Assocation breach that affected over 850,000 of their medical providers, as well as the recent Health Net data breach affecting over 1.5MM individuals.

So with great anticipation I visited the HHS website where there is a section on the Breach Notification Rule and clicked on the following link:

September 23, 2009 marked a major milestone for patient rights.  That is when the new Health Information Technology for Economic and Clinical Health (HITECH) Act took effect, requiring healthcare organizations to take more responsibility for protecting patient records and health information.

The HITECH Act seeks to streamline healthcare and reduce costs through the use of health information technology, including the adoption of electronic health records.  To ensure technology and security go hand-in-hand, the HITECH Act also includes strict new rules for notification in the case of a data breach incident where protected health information (PHI) is improperly exposed.

Healthcare organizations and their business partners are now required to notify individuals affected by a data breach and the federal government, who will post the information publicly.  The HITECH Act also stiffens penalties for non-compliance—up to $1.5 million.

It is too soon to see the full impact of the HITECH Act.  Certainly, government agencies are fine-tuning—and debating—the details.  But whatever happens in Washington, healthcare organizations would be smart to ask:

-          Will the federal and state governments impose even stricter privacy initiatives over the next six months as a result?

-          Will the move toward electronic health records increase healthcare breaches?

-          Regulatory penalties aside, what are the consequences of a data breach, such as loss of credibility for my organization, and medical and financial risks to people whose data was lost?

Tighter Privacy Laws. More Data Breaches.

These new regulations come at a time when healthcare breaches are on the rise; according to the 2009 ITRC Breach Stats Report healthcare breaches account for over 66 percent of all records breached this year (up from 20 percent in 2008).  In fact, some of the largest names in healthcare suffered data breaches.  In one incident, an employee at a high-profile medical center allegedly stole the personal information of 1,000 patients with the intent to defraud insurance companies.  Another case involved the theft of a laptop that may have contained PHI such as medical record numbers, names, and Social Security numbers.  And at a New York City hospital, an admissions employee was suspected of selling 2,000 patients’ data as part of an identity theft scheme and illegally accessing nearly 50,000 records.

Data Breaches Don’t Have to Spell Disaster.

With these new regulations in place, healthcare organizations are scrambling to understand the requirements and how to adapt and comply.  Unfortunately, we have learned firsthand through managing hundreds of data breaches that few organizations actually have breach response plans in place, despite the laws.

For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to data breach preparedness, as one customer did:

Thieves broke into a prominent healthcare facility and took, among other items, a desktop computer containing patients’ personal information.  Approximately 4,000 medical records were at risk.

The breach team at ID Experts provided a risk assessment for the hospital, communication with the affected population, and protection and recovery services for those affected.  In the end, ID Experts handled more than 1,500 calls; only a handful of callers required assistance directly from the hospital.  We delivered notifications to more than 5,000 people and provided membership in our protection and recovery services program to more than 1,200 people.

An excellent tool for establishing procedures in advance of a data breach is the incident response plan.  ID Experts offers services that provide guidelines for establishing an incident response team and outlines responsibilities and actions.  The plan contains instructions, worksheets and materials that can be used to streamline the response process.

The new HITECH Act requirements will likely affect every aspect of your operations: business and healthcare processes; IT data security, retention, and monitoring; contracts and business relationships.  With increasing risks, having a response plan in place will benefit your patients, your employees and your business.

There appears to be some level of controversy that has been stirred up in a less followed area of the healthcare debate than single payer, that associated with the privacy of health information. The Department of Health and Human Services just released its rules for healthcare organizations to follow the data breach notification provisions of the HITECH Act.

In the rules, they have established a “harm threshold” which is self-assessed by the healthcare organization, and directed that in the case of a data breach incident, that notification of the individuals, the public and their agency ONLY needs to occur if they have determined that their is significant risk of  financial, reputational or other harm to those affected by the data loss.

This past week, the House Committee on Energy and Commerce voiced concern over the addition of this provision. They indicated that it was not the intent of the legislation to provide for notification in the case of a data breach incident only in cases where harm can be proved, but rather for all data breach incidents. Presumably to act as a deterrent to organizations with lax practices, as well as to ensure that individuals can practice due care, even in cases where there may be little chance of real harm.

Network World reported in their article titled “House members seek stronger health care data breach notifications, ‘Harm threshold’ runs counter to Congress’ intent” that:

“In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the ’soonest appropriate opportunity’. The letter, signed by the chairman of the committee, Rep. Henry Waxman (D-Calif.) and others, noted that the new harm threshold provision runs counter to Congress’ intent in passing the breach notification bill. The bill’s statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the ‘breadth of discretion’ it would have given a breached entity, the letter said.”

It is terrific to see Congress trying to do the right thing, when it comes to the privacy of protected health information (PHI). I’m hopeful that HHS will see the wisdom in revising their rules for the benefit of all of us that rely on the American healthcare system.