Patients are morphing into consumers, but with eyes wide open: they know about data breaches, and they increasingly demand healthcare services delivered on their own terms.
I met with Accenture’s Dr. Kaveh Safavi, Frances Dare, and Jenn Francis at HIMSS17 to discuss their latest research into these two topics. In this post, I’ll cover the growing challenge of cybersecurity and what Accenture learned about consumer data breaches. Tomorrow I’ll discuss Accenture’s latest findings on the expectations of the evolving health/care consumer. [Spoiler alert: personal health information data security is one of those expectations].
At HIMSS17, the issue of cybersecurity is more front-and-center than at any previous conference that I’ve attended in 20+ years as a HIMSS member. The annual HIMSS survey of CIOs puts cybersecurity in top position as financing priorities and things-that-keep-you-up-at-night status.
Here’s a current snapshot on the challenge in the U.S.: healthcare cybersecurity risks increased 320% between 2015 and 2016, according to the Breach Report by Redspin, finding that 16,612,985 patient health records were breached in the U.S. in 2016.
The annual 2017 HIMSS Leadership and Workforce Survey was released this week at the HIMSS conference. The online study polled 368 U.S. health IT leaders between late November 2016 and early January 2017 (note that this survey was fielded just after the US Presidential election). Among all priorities facing the overall sample of health IT pro’s, “privacy, security and cybersecurity” rises to the top, followed by quality and patient safety, care coordination and population health, and EHRs.
Concerns for cybersecurity in healthcare will translate into 81% of US healthcare organizations increasing information security spending in 2017, according to The Thales Data Threat Report, Healthcare Edition. But will that be enough? A recent Symantec study found that healthcare entities devote 6% or less of overall IT budgets to security — a surprising fact given that over half of the study’s participants was hit by an external cyberattack in the past year.
The Thales Report points out that 60% of healthcare organizations in the U.S. are deploying cloud, big data, and IoT environments without adequate data security, calling healthcare digitalization “a double-edged sword.” Digitizing health records has many benefits, but it also exposes individual healthcare data to more people, in more places, and on more devices. “Electronic health records contain a trove of personal data, making them an ideal target of one-stop hacking for cyber thieves,” the Report observes.
With this context in mind, consider Accenture’s finding that one in four US consumers has had their healthcare data breached. One-half of those breaches led to an out-of-pocket cost of $2,500, on average, due to medical identity theft, Accenture learned. The most common healthcare sites where these breaches occurred were in provider settings (hospitals and clinics): 80% of breaches happened in provider sites, and 20% via government or health insurers.
The double-edge sword is illustrated by Accenture’s discovery that 1 in 4 consumers had their healthcare data stolen because the hospitals, clinics, pharmacies and doctor’s offices increasingly use cloud computing which, when not secured, is an opportunity to be hacked.
Dr. Safavi talked about the 1 in 4 consumers whose PHI was stolen, noting that 50% of these breaches resulted in identity theft in some way allowing:
• 37% of the data thieves to purchase items using the patient’s information
• 35% to fraudulently bill for healthcare
• 26% to fraudulently receive healthcare
• 26% to fraudulently fill prescriptions
• 12% to access or modify health records.
“The biggest hole in the boat is the delivery system,” Dr. Safavi observed. But ask people who they trust most, and it’s providers, he pointed out. Ask people who they trust least with their healthcare information? The government and payors. Thus, there is a disconnect between consumers’ expectations and the reality they face vis-à-vis the security of their personal health information.
The expectation: consumers assume and expect healthcare providers to be trustworthy stewards of their PHI.
Providers, take note: about one-half of consumers said they would change providers if they discovered their data had been breached, according to the Accenture survey.
This is a risk and an opportunity, Dr. Safavi believes: for providers who do not proactively respond to the cybersecurity risks, the threat is patients fleeing the doctor’s or clinic’s practice or hospital’s patient base. The opportunity is to differentiate the institution in the community as a trustworthy place for sharing personal health information. “Security poses itself as a strategic differentiator,” Dr. Safavi concludes.
Health Populi’s Hot Points: Consumers have been “primed” by Amazon, I wrote in this blog last week. Peoples’ expectations for streamlined retail experiences — “I want it my way and I want it now” — bleed into their expectations for healthcare services. That means digitization, and Amazon-style simplicity, transparency, interaction, and immediacy. And that will require providers pragmatically and strategically taking on cybersecurity as an ongoing risk management project.
I’ll cover the second part of my discussion with the Accenture team in tomorrow’s post, on the evolving demands of health care consumers — including the implications from this cybersecurity study.