Healthcare Providers Face Uphill Battle in Stemming Data Breaches

December 14, 2012 by John DeGaspari

| Reprints

Annual cost to healthcare industry estimated at $7 billion

Healthcare Providers Face Uphill Battle in Stemming Data Breaches

The rising trends of mobility and employee use of their own devices at work are posing challenges to CIOs. Eighty-one percent of organizations permit their employees and medical staff to use their own medical devices, such as smartphones and tablet computers, to connect with the organizations’ networks or enterprise systems. On average a little over half (51 percent) of employees bring their devices to the facility, yet 46 percent of respondents say their organizations do not do anything to secure the devices. “We were shocked by that,” Ponemon says, noting that 54 percent of respondents are not confident that the personally-owned mobile devices are secure. This year, 18 percent of respondents said a breach occurred due to lost or stolen mobile devices, more than double last year’s number (7 percent).

Another weak link in the security chain is unsecured medical devices—such as wireless heart pumps and insulin pumps—that contain sensitive patient information. Often these devices use commercial PCs and have wireless connections that put them at risk to cyber attacks. Of the respondents, 69 percent said they do not secure FDA-approved medical devices.

In a revealing response about the uptake of technology, many organizations have embraced the cloud despite their concerns over data security. While 62 percent of the organizations indicated they use moderate or heavy use of cloud services, (only 7 percent said they do not use cloud serves), 47 percent of respondents said they are not confident that data on the cloud is secure, and 23 percent are somewhat confident.

Concerns over security may be holding back the growth of health information exchange (HIE). Only 28 percent of respondents said their organization was a member and another 17 percent said they will become a member. More than a third (35 percent) said they do not plan to become a member of an HIE, possibly reflecting the fact that two-thirds of respondents said they were not confident or only somewhat confident in the security and privacy of patient data.

Some Bright Spots in a Gloomy Picture

More respondents (40 percent) this year said they had the confidence to prevent or detect all data losses or thefts in their organizations, up from 31 percent the year before. This could be because more organizations are relying less on ad hoc processes and more on policies and procedures and a combination of manual procedures and security technologies.

Compliance efforts have also had a positive impact. Thirty-six percent of respondents agree that recent Office of Civil Rights Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical health (HITECH) Act audits and fines have affected their organization’s patent data privacy and security policies.

The primary activity by healthcare organizations has been to comply with HIPAA privacy and security awareness training of all staff; this is followed by 49 percent that monitor or vet third parties, including business associates. Annual risk assessments are done by fewer than half (48 percent) of the organizations. According to the report, employee training has not been particularly effective in stemming data breaches.

More than half (52 percent) of respondents agree that they have sufficient policies and procedures to prevent or quickly detect unauthorized patient data access, loss or theft, up from 41 percent in 2010, which can possibly be attributed to better compliance. On the other hand, only 27 percent said they have sufficient resources and only 34 percent said they have a sufficient security budget.

While not part of this particular report, Ponemon also notes that data encryption, which is the focus of a separate survey, is seeing a higher adoption rate by healthcare organizations.

Tips for Dealing with the Problem

Rick Kam, president and co-founder of ID Experts, notes that three out of five healthcare organizations simply do not have the budget to address threats to protected health information of patients. The basic problem, he says, is that instead of dealing with the problem on a daily, ongoing basis, they are dealing with it as a catastrophic event. Organizations need to incorporate management approaches and tools to defend themselves against issues that are opening them up to vulnerabilities, he says.

He has five recommendations for healthcare organizations:

Operationalize pre-breach and post-breach responses, including incident assessment and incident response processes.
Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security.
Conduct combined privacy and security compliance assessments annually.
Update policies and procedures to include mobile devices and the cloud.
Ensure that the incident response plan covers business associates, partners, and cyber insurance.

Infrastructure

Healthcare Providers Face Uphill Battle in Stemming Data Breaches

More like this

Most Popular

GUEST BLOG: Can Entrepreneurs “Cure” Healthcare With Technology?

Improving the Doctor-Patient Relationship with a Ping

Leveraging Big Data to Improve the Standard of Care

Congratulations on your EMR-Now take this clipboard full of forms and go fill them out

Webinars & Whitepapers

Do's and Don'ts of Successful Data Management for Population Health Management

Creating Connections with Population Health Management: Bringing Together People, Places and Information

mHealth Technology: Four Key Steps

Healthcare's Future Depends on Data-Driven look at Individual Behavior

How to Put Data and Analytics to Work in the Era of Healthcare Reform

Current Issue

September 2013

Poll