CIMIP Participates in Congressional Briefing on Protected Health Information

Partners to Enhance Safeguards

Written By Dan Shanley '12, PR Intern

CIMIP, UC staff travel to Washington to participate in briefing

---

Contact

cleogrande@utica.edu

Utica, NY (03/06/2012)

- Representatives from Utica College and the Center for Identity Management and Information Protection (CIMIP) traveled to Washington to take part in a congressional briefing yesterday which unveiled the Protected Health Information (PHI) Project report, “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security.”

As part of the PHI project survey committee, CIMIP Executive Director Donald Rebovich (committee co-chair) and CIMIP staff were responsible for the administration and analysis of the survey, “Current Practices and Attitudes,” among more than 200 participants nationwide, including those in the medical and information security industries, as well as other subject matter experts to provide an understanding of industry reaction to federal and state laws, current levels of compliance, and barriers to strengthening compliance programs, in addition to the frequency and ramification of PHI breaches.

The survey responses revealed that the majority of participants want to comply and secure PHI, but they believe that budgetary constraints and the lack of executive commitment, leadership, and accountability, as well as the evolving nature of threats and the technologies available to protect PHI, combine to make real protection of health information extremely challenging.

Seventy-five percent believed their organization possesses effective policies to protect PHI and takes effective steps to protect PHI. But almost 40% did not believe that their organizational management views privacy and security as a priority, and 54% did not feel that their organization possesses sufficient resources to ensure protection requirements are currently being effectively protected. When asked about the complexity of the laws and the ease of compliance, only 12% felt the laws were “easy to understand” and only 14% thought the laws were “not difficult at all” to comply with.

When asked to identify the most significant impediments their organization faces to achieving a strong privacy and data security posture with respect to how PHI is collected, used, and retained the most common impediment was seen as “lack of funding”(59%) and followed by insufficient time, lack of senior executive support,” and lack of accountability and leadership.”Responses showed that more than 85.3 % of participants stated that the accidental or inadvertent exposure from an insider was the “most likely” or “very likely” threat to protected data. More than 50 % believed that some type of security threat was likely adversely affecting their organizations now.

The complete results of the survey are found in Appendix E of the full report.

Seeking to enhance the nation’s ability to protect PHI from cyber threats and other criminals, CIMIP is one of the partner sponsors of the PHI project. The project is a collaboration of the American National Standards Institute (ANSI), in partnership with the Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance.

Raymond Philo, executive director of the Economic Crime Institute and economic crime and justice studies research director will join Suzanne Lynch, assistant professor of criminal justice and director of the economic crime management program and Ingrid Norris, administrative analyst, in representing the college at the briefing.

The health care delivery system relies on the belief that those receiving health care information will keep records confidential and secure. As more of these records are stored and transmitted electronically, however, additional measures must be in place to ensure their safekeeping. When PHI data is breached or compromised, financial, legal and reputational ramifications among organizations are severe, in addition to the threatened well-being of the patient.

The report provides a method for organizations to calculate the estimated costs of a data breach, and determine an appropriate investment to strengthen privacy and security programs.

The full report is available for free download at http://webstore.ansi.org/phi.