A new study reveals that the push for Electronic Medical Records puts patient privacy at risk. The Ponemon Institute and LogLogic surveyed hospital security professionals and found that 70% say their senior management fails to prioritize privacy and data security.
2. Security of Electronic Health Information
Sponsored by LogLogic
Presented by Dr. Larry Ponemon
Webinar: September 30, 2009
3. About the study
• The purpose of the study is to determine from IT security
practitioners in healthcare organizations how secure they
believe electronic patient health records are – especially
those records stored in databases.
4. The survey addressed the
following topics
• The adequacy of the organization’s approach to the security of
health information.
• Senior management’s views about the importance of securing
health information.
• How electronic health information is used by the organization.
• The database applications that cause the most risk to health
information and the difficulty in securing health information in
databases.
• Steps taken to secure health information in databases and their
effectiveness.
• The impact of compliance on the security of electronic health
information.
5. How is the above electronic health
information used by your organization?
The top five uses
67%
60%
58%
54% 53%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Billing & payments Insurance verification Marketing &
communications
Patient relations Patient care (clinical)
6. What kinds of database applications
cause the most risk to electronic
health information?
1.9
2.5
1.6
0.0
0.5
1.0
1.5
2.0
2.5
3.0
Administrative applications such as
patient scheduling systems
Business applications such as billing and
insurance processing
Clinical applications such as physician
notes, prescriptions or diagnostic
reports
Each bar represents the average ranking where 3 = highest risk and 1 = lowest risk.
7. How would you rate the effectiveness of the
above mentioned data security measures you
have in-place for securing electronic health
information in databases?
19%
24% 25%
24%
9%
0%
5%
10%
15%
20%
25%
30%
Very effective Effective Somew hat effective Not effective Unsure
8. How many of the above data breaches experienced
by your organization involved electronic health
information stored in a database?
33%
19%
16%
10%
8%
5%
9%
0%
5%
10%
15%
20%
25%
30%
35%
More than 90% 75% to 90% 50% and 74% 25% and 49% 10 and 24% Less than 10% None
9. If your organization had a data breach involving the
loss or theft of patient health information (say 1,000
or more records), what would this incident cost your
company on a per lost record basis?
6%
9%
19%
30%
10%
3%
12%
0%
5%
10%
15%
20%
25%
30%
35%
Less than $50 $50 to $100 $101 to $150 $151 to $200 $201 to $250 $251 to $300 More than $300
The extrapolated value of a data breach involving EPHI on a per compromised record basis is $211.
10. Page 10Page 10
Log & Security Management Helps …
» Visibility – Broad Based Monitoring
» Access to electronic healthcare records
» Database activity monitoring
» Creation/deletion of new user accounts
» Assigning/changing access rights and privileges
» Threat monitoring and incident response
» Forensic analysis (immutable audit trail, electronic evidence)
12. Page 12Page 12
CONNECTED
HOSPITAL
Employers
Public Health
Organizations
Laboratories
Pharmacies
Connected
Clinicians
Social Services
Clinics
Emergency /
First Responders
Suppliers
Government and
Private Payers
Home and
Long-Term Care
Hospitals
Monitoring Allows You To “Trust But Verify”
13. Page 13Page 13
Read The Full Report!
» You can view the entire webcast on demand at:
http://www.loglogic.com/news/webcasts
» A full copy of the report is available at:
www.loglogic.com/resources/analyst-reports/ponemon-
electronic-health-info-at-risk/
14. Page 14
Thank You!
For more information or
to schedule a demo contact us at:
info@loglogic.com
Notes de l'éditeur
I promise to try and keep it simple, while we address many important issues that will help you gain a better understanding of the risks and trends that require healthcare organizations to adopt a culture of proactive information security with real-time database security & log management throughout your IT, clinical, business, and program practices.
I will explore several drivers from a legal, clinical, and business perspective that are driving the need for real-time database security & log management.
I will also show how LogLogic has helped some of your peers and can help you.
Now this is from the perspective of a single hospital. Lets look at how many affiliated entities are connected. Each one of these has many security devices that share security event data in addition to devices that access and use sensitive data.
On the first pass, I look at this and think “wow, the healthcare service model is really big with a lot of players.” But then I also begin to think about the risks. This connected electronic information sharing model also exposes insurers and providers to cybercrime, fraud, and accidental loss of sensitive data.
We need a health information technology architecture that allows ubiquitous and secure exchange and use of health information.
So as you think about how many computer devices you have and each of these entities may have, I hope you can begin to understand why I say, “Real-time data protection is a foundation for delivery of high quality care and patient safety.”
We have: call centers with remote workers; office workers that take records home on flash drives and laptops; claims and field workers with mobile access device; Physicians accessing e-prescribing systems and using PDAs and laptops; nurses with wireless pagers or phones on the floor; and this is just a few examples of the day-to-day activities.
All of these users are endpoints with endpoint devices that have to be connected through a secure exchange of sensitive data.
And as if the day-to-day clinical and business demands were enough to manage, you are now also living through the compliance decade.
Lets take a look at our next slide.