The Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy & Data Security highlights some interesting bullet points about data breaches and healthcare security trends as healthcare organizations struggle to adapt to the requirements of the HIPAA Final Rule.
The study, sponsored by security consulting firm ID Experts, involved surveys of 91 organizations, with respondents ranging from HIPAA compliance leaders (12 percent) to chief information security officers (11 percent), chief information officers (11 percent), chief compliance officers (10 percent) and billing & administrative leaders (10 percent). Here are some of the key findings:
• The average economic impact of data breaches over the past two years for the healthcare organizations represented in the study was $2 million, a decrease of almost $400,000, or 17 percent, from the previous year. Ninety percent of respondents had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period.
• Although employee negligence, such as a lost laptop, continues to be at the root of most data breaches in the study, criminal attacks on hospitals have increased 100 percent since the first study four years ago. (In 2010, 20 percent of organizations reported criminal attacks; this year 40 percent did.)
• BYOD usage continues to rise. Despite the concerns about employee negligence and the use of insecure mobile devices, 88 percent of organizations permit employees and medical staff to use their own mobile devices such as smart phones or tablets to connect to their organization’s networks. Similar to last year, more than half of organizations are not confident that the personally owned mobile devices or BYOD are secure.
• Half of healthcare organizations are compliant with the post-incident risk assessment requirement in the HIPAA Final Rule. Fifty-one percent of respondents said they are in full compliance, while 49 percent report they are not compliant or are only partially compliant. Thirty-nine percent say their incident assessment process is not effective and cite a lack of consistency and inability to scale their process as the primary reasons.
• Healthcare organizations don’t trust their third parties or business associates with sensitive patient information. Seventy-three percent of organizations are either somewhat confident (33 percent) or not confident (40 percent) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement. The business associates they worry most about are IT service providers, claims processors and benefits management. Only 30 percent are very confident or confident that their business associates are appropriately safeguarding patient data as required under the Final Rule.
• Most healthcare organizations are not in compliance with Accounting of Disclosures (AOD) requirements. Less than half of the organizations in this study report they are in full compliance (25 percent) or nearly in full compliance (23 percent) with the Accounting of Disclosures requirement. These organizations say they achieve compliance mostly by an ad-hoc process (31 percent), a paper-based process or tool that was developed internally (27 percent), a software-based process or tool that was developed internally (27 percent) or a software-based process or tool that was developed by a third party (15 percent).
• Confidence in the security of health information exchanges (HIEs) remains low. The percentage of organizations joining HIEs increased only slightly, from 28 percent last year to 32 percent this year. One-third of organizations say they do not plan to become a member. The primary reason could be that 72 percent of respondents say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data sharing on HIEs.