Despite new federal laws to protect the privacy of medical files, many hospitals are ill-prepared to prevent security breaches that may result in patient records being stolen, lost or misused, a new survey shows.
Three in four hospitals and health organizations said medical records of patients had been put at risk of improper disclosure “due to inadequate security controls, policies or procedures,” according to the survey released Thursday at a meeting of government health information planners in Washington.
“This is a call to action,” said Lisa A. Gallagher, a privacy and security expert who conducted the study for the Healthcare Information and Management Systems Society (HIMSS). “We need to get focused on security.”
In the survey, one in three groups said they knew of at least one case of medical identity theft from records under their control — nearly double the number reported in a similar study last year.
Half of those surveyed said they had no plan in place to respond to security threats and many of them indicated that they are spending “little additional resources” to combat the problem.
The report comes as federal officials are launching an ambitious plan to encourage greater use of digital medical records. Officials are planning to spend as much as $45 billion in stimulus funds in the coming years to help doctors and hospitals purchase these systems. The Obama administration is also moving forward with plans to convert an obscure government data collection system into a Health Internet, which would encourage sending sensitive medical information into cyberspace.
“These factors may put health data at a higher risk of exposure in the future, and increase the need for mature security processes and controls,” Gallagher wrote in her report.
Two hospital groups, the American Hospital Association and the Federation of American Hospitals, had no immediate comment on the report.
The stimulus bill contains a series of new provisions to tighten the privacy and security of electronic health data. For instance, the law requires health care providers to notify patients when their personal information falls into the wrong hands.
Yet the survey released on Thursday found that many hospitals lack even basic tools to encrypt health care data as a means to prevent its misuse or theft. Fewer than half said they encrypt records they store, while just two-thirds use encryption techniques when sending health records over the Internet.
“Health care is no different than other industries grappling with the challenges of cyberspace,” said Aneesh Chopra, the White House chief technology officer in response to the survey.
The study, conducted from August to October, questioned about 200 top-level health information technology professionals working in hospitals and other medical institutions. It was run by HIMSS, whose members represent a cross-section of health information technology professionals. The survey’s purpose was to gauge how well these institutions are preparing for the national switch-over to electronic medical records. The administration hopes to create a digital medical file for every American within the next five years.
The findings surprised some members of the government Health Information Technology standards panel, which is aiding federal officials in setting standards for distributing stimulus money to doctors and hospitals that purchase digital records systems.
“I think the survey results show that health care organizations still perceive security to be a compliance issue, not a function critical to their business or providing quality care,” said Dixie Baker, who heads the standards committee’s privacy workgroup.
Committee member Walter Suarez said he was "surprised" that so many hospitals hadn't even met basic security standards already required under federal law.
"The first question is really: Do we need to have a much larger picture of what is going on across the country," Suarez said.