Mobile Technology and the Rise of Healthcare Data Breaches

September 23, 2011

A newly released study on data breaches raises the question: What actions are practices taking to protect their data?

Has your practice addressed privacy and security issues associated with the use of mobile devices? If the answer is yes, you’re ahead of the game. 

Apparently, 55 percent of healthcare providers who answered PwC Health Research Institute’s survey of 600 healthcare executives (including large healthcare organizations as well as physician practices) said they hadn’t addressed these issues. Additionally, less than one-quarter of these providers said they had addressed privacy and security implications of social media.

In its report, “Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground,” PwC says that existing privacy and security controls have not kept pace with new technology-driven realities in healthcare, including increased access to EHRs, greater data collaboration with external partners, and the rise of social and mobile technology. And perhaps for this reason, theft now accounts for 66 percent of total reported health data breaches over the past two years. Medical identity theft also appears to be on the rise.

Much of the problem has been attributed to general unpreparedness on the part of healthcare organizations. Less than half (37 percent) of health organizations surveyed incorporate approved uses of mobile devices and social media as part of company privacy training. Only 58 percent of providers and 41 percent of health insurers say they include the appropriate use of EHRs as part of employee privacy training. And only 36 percent of health organizations perform a pre-contract assessment of their business associates such as business partners and vendors.

"Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur," said James Koenig, director and co-leader of PwC’s Health Information Privacy and Security Practice, in a press statement. "Most breaches are not the result of IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error - loss of a computer or device, lack of knowledge, or unintended unauthorized disclosure."

Joel Weinshank, director of healthcare markets for BoxTone, a mobile device security and management provider, said that an increased use of mobile devices in healthcare is putting more practices at risk of a data breach.

“This is absolutely consistent with what we’ve seen,” Weinshank told Physicians Practice. “Any meaningful use initiative, at some point in time, is going to touch a mobile device. So at some point in time, the electronic protected health information will be sent to and stored by these devices. IT [staff] needs to get ahead of this now to make sure devices are secure and breaches don’t happen.”

Weinshank suggests having policies in place and enforcement procedures that says who can access what device at what time.

“Healthcare organizations should be able to know, ‘is that PA using the particular device assigned to him or her,’” he says.