Predictions can be tough, and even more so in the fast-paced world of healthcare IT. There have always been challenges to maintaining healthcare data security and privacy — and 2019 will be no different. High-profile data privacy scandals and data breaches have rocked consumers’ worlds this past year, including Google and Facebook. At the same time, advanced threats like drug diversion and insiders have increased in the healthcare ecosystem.
To help you navigate this new world of advanced privacy and security, we’ve compiled 5 industry trends likely to unfold over the next 12 months – along with insights into how care providers can proactively strengthen patient data privacy and security.
Prediction #1: Interoperability Will Drive Privacy and Security Improvements
According to HIMSS, interoperability describes the extent to which systems and devices can exchange and interpret shared data. For two systems to be interoperable, they must be able to transfer data and present that data so a user can understand it.
The average health system uses 16 distinct EMR vendors. When healthcare organizations run and maintain that many systems, it can become more complex to properly manage and secure patient data. Without connectivity and an overarching view of where patient data is located, it can be difficult for healthcare organizations to understand who has access to what information – and to uphold data security, compliance, and patient safety.
“This is the reason CMS [the Centers for Medicare and Medicaid Services] shifted meaningful use to promoting interoperability,” says HIMSS Analytics Chief Revenue Officer Mitchell Icenhower. “This is the environment health systems work in today. This is the challenge they have: so many data sources trying to provide a total view of the patient.”
In the year ahead, we expect healthcare systems to explore how interoperability can enhance privacy and security initiatives, as existing EHRs and new vendors will need to integrate with one another to provide more holistic views of where patient data is located and who is accessing that data.
Prediction #2: The Opioid Epidemic Will Continue to Drive Drug Diversion
The opioid epidemic has hit an all-time high this past year, which has fueled increased instances of drug diversion in the care setting. Estimates indicate there are 37,000 annual instances of drug diversion in health systems nationwide. In the first half of 2018 alone, the Department of Justice and the Drug Enforcement Agency made 54 enforcement actions and 283 administrative actions related to their diversion prevention efforts. Yet care providers don’t always spot or report incidents when they occur.
“The diversion of drugs from health facilities is still vastly underreported,” says Commander John Burke, President of Pharmaceutical Diversion Education.
Drug diverters are known to compromise data privacy and security to divert drugs in the care setting, which can hurt patients, care providers, and drug diverters themselves. In one example from August 2018, a care provider was fined $4.3 million to settle federal charges surrounding drugs stolen from their facility.
In the coming year, we expect more health systems to bolster their existing drug diversion monitoring programs or build new programs.
Prediction #3: New Privacy Regulations Will Continue to Arise in Addition to HIPAA
U.S. care providers are no strangers to protecting sensitive data under HIPAA requirements. But as discussions about data privacy and security have come to the forefront of society, more data privacy regulations have emerged.
In May 2018, the EU General Data Protection Regulation (GDPR) was enacted; the law provides guidance on breach protection and response for any organization worldwide processing or handling EU citizen or resident data. The GDPR gives data subjects – anyone whose personal data is being collected, processed, or stored — specific rights that differ from HIPAA. GDPR also requires a much shorter timeframe for data breach notification than HIPAA.
Other privacy regulations have followed, like CaCPA, which was signed into California law on June 28, 2018. Described as a landmark policy, it’s the first significant privacy law passed in the United States. Similarly to the GDPR, CaCPA also gives data subjects specific rights to their data.
In 2019, healthcare providers will begin addressing these privacy regulations by assessing the way that EHRs and other applications process, store, and transmit PHI. This is related to Prediction #1 – healthcare organizations will need interoperable systems that can fulfill multiple regulations, in addition to HIPAA.
Prediction #4: Insider Threats Will Remain the No. 1 Threat to Patient Data
Compared with other industries, healthcare faces an advanced set of challenges to securing data — from the proliferation of ePHI across multiple systems to digitized business processes and the high value of patient data to fraudsters.
According to Verizon’s 2018 Data Breach Investigation report, healthcare is the only industry where insider threats outnumbered external threats. In fact, 58 percent of healthcare breaches involved insiders last year, and 48 percent of insider incidents were motivated by financial gain, costing taxpayers nearly $100 billion per year.
In 2019, care providers will continue to bolster their insider threat monitoring approaches. Those that don’t have monitoring programs will implement them. To combat the growing insider threat, organizations must understand where their data is located and who has access to it. Care providers can begin by conducting risk analyses, strengthening user identities, and monitoring access to patient data across systems, including EHRs and other cloud applications.
Prediction #5: The Ethical and Legal Use of Artificial Intelligence Will Empower Healthcare Data Security and Privacy
We’ve all heard of the patient care benefits of artificial intelligence (AI) in healthcare, and in recent years, we have seen many significant advancements come to fruition. In fact, the AI market is predicted to reach $6.6 billion by 2021, providing more information to care providers — from medical imaging and voice-to-text transcription to fraud detection and healthcare privacy and security.
AI can also help privacy and security officers better monitor for potential data breaches and prepare for OCR audits, saving time and building trust. But the growth of AI in healthcare has also exposed potential risks. That prompted the American Medical Association to pass the first policy recommendations on AI (which they call “augmented intelligence”) in 2018.
“As technology continues to advance and evolve, we have a unique opportunity to ensure that augmented intelligence is used to benefit patients, physicians, and the broad health care community,” says AMA board member Dr. Jesse M. Ehrenfeld.
Healthcare organizations are taking note – according to an International Data Group poll, 43 percent of health IT leaders plan to increase spending on AI. It’s no wonder, as there are myriad benefits to using AI in healthcare, including improved outcomes, increased efficiency, and more private and secure patient data.
In 2019, care providers will continue to incorporate new tools and technology that include AI and machine learning. They will also begin considering the ethical and legal considerations of these technologies while using them to empower patient data privacy and security.
The world of healthcare data privacy and security will only continue to increase in complexity. Moving into 2019, it’s important that care providers maintain a proactive approach ensuring patient safety by using tools, technology, and a people-first approach.