Beginning with the February economic stimulus package, the Obama administration has made it clear that the digitization of medical records is a high priority.
But converting people’s most sensitive personal information into the digital format inevitably brings privacy concerns in tow, and a new study has called attention to just how significant the challenge may be.
In a national poll of more than 500 IT personnel at large health-care organizations, the Ponemon Institute research group found that 80 percent had experienced a data breach that compromised patient records in the past year. Four percent reported more than five breaches.
“The majority of IT practitioners in our study don’t believe that their organizations have adequate resources to protect patients’ sensitive or confidential information,” Larry Ponemon, the group’s chairman and founder, said in a statement. “The lack of resources and support from senior management is putting electronic health information at risk.”
On its face the idea of electronic medical records is an alluring one. Computerized records promise to drive efficiencies in the health-care system, which in turn could yield significant cost savings. Having a digital composite of a person’s lifelong medical history could also flag for things like past conditions or potentially harmful drug interactions that could improve health outcomes.
That opportunity has drawn considerable interest from some of the biggest names in technology, such as IBM, GE, Google and Microsoft.
But the privacy question remains. The Ponemon study, sponsored by security-management firm LogLogic, found that more than two-thirds of IT professionals said that senior management at medical facilities didn’t consider data security and privacy a priority.
Additionally, 53 percent of survey respondents said their facility has inadequate safeguards to protect patients’ records.
The average cost of a breach of one patient’s information was $210, according to the study.
Survey respondents spoke favorably about new rules that amended the Health Insurance Portability and Accountability Act (HIPAA), which equated a breach, regardless of the circumstances, with non-compliance.