Data breaches are a large and costly threat for healthcare providers, which so far have been unable to cope with existing and new challenges of securing patient data. That’s a key finding of the Third Annual Benchmark Study on Patient Privacy & Data Security, released by the Traverse City, Mich.-based Ponemon Institute and sponsored by ID Experts, Portland, Ore.
The survey presents findings based on self-reported benchmark survey returns from 80 organizations, including hospitals and clinics that are part of a healthcare network (46 percent), integrated health delivery systems (36 percent), and standalone hospitals or clinics (19 percent). The survey results are skewed to larger organizations, and exclude very small provider organizations including local clinics and medical practitioners. The survey methods targeted individuals who are currently involved in data protection, security, privacy, or compliance.
The study found that data breaches are pervasive, with 94 percent of the organizations having suffered at least one data breach, and 45 percent having experienced more than five data breaches, during the last two years. Estimated costs for the U.S. healthcare industry are estimated at nearly $7 billion annually, based on the information supplied by the respondent organizations.
Fifty-four percent of the respondents said they had little or no confidencs that they can detect all patient data or theft. Overall data breaches are growing,” says Larry Ponemon, Ph.D., chairman and founder of the Ponemon Institute, who adds that, at least in the healthcare industry, people are somewhat fatalistic, with the perception that they can’t get their arms around the problem completely. “I’m not saying they are giving up, but they are not confident they can deal with these threats,” he says.
A Widespread and Costly Problem
According to the report, the percentage of organizations that have experienced a data breach has increased since the survey was first conducted in 2010, and there are also more organizations reporting multiple data breaches. The economic impact of one or more data breaches of responding organizations ranges from $10,000 to more than $1 million over a two-year period; and the average economic impact of data breaches over the past two years is $2.4 million, an increase of almost $400,000—about 15 percent—since the study was first done in 2010. Data breaches costing more than $500,000 have increased from 48 percent of healthcare organizations participating in the study in 2010 to 57 percent in this year’s study.
While the size of some breaches is small, provider organizations should not be complacent, because even a small data breach can be indicative of a larger problem, cautions Ponemon. “The fact that there is leakage of data is like a ship that starts to leak—sooner or later it sinks,” he says.
Insider negligence is at the root cause of data breaches, with the primary cause of breaches in the study being lost or stolen computing devices (46 percent), followed by employee mistakes or unintentional actions (42 percent), and third-party snafus (42 percent). Not all causes have been benign: there has also been a large jump in criminal attacks, from 20 percent in 2010 to 33 percent this year.
Medical files and insurance records are the types of information most often lost or stolen, and 70 percent say that protected health information (PHI) is at increased risk, followed by financial identity (61 percent) and medical identity theft (59 percent). More than half (52 percent) of respondents say their organizations had one or more incidents involving medical identity theft. While only 18 percent said the theft was the result of a data breach, another 32 percent were unsure—partly because only a third of respondents said their organizations have sufficient controls in place to detect medical identity theft.
“We are very interested in medical identity theft; it’s a big issue that is on the rise,” Ponemon says. “Hospitals have detected this as an emerging threat.”
Larry Ponemon, Ph.D.
On the other hand, respondents are somewhat more confident that patient billing information is susceptible to data loss or theft this year (29 percent said billing information is at risk compared to the year before (39 percent). Similarly, the susceptibility of patient medical records declined from 25 percent of respondents who believed that this type of information was most at risk in 2011 to 15 percent who believed so this year. This is in contrast to a much higher percentage of respondents who believed that employee records have become more susceptible to data loss or theft (an increase from 9 percent in 2011 to 21 percent this year).
Coping with Technology Trends
The rising trends of mobility and employee use of their own devices at work are posing challenges to CIOs. Eighty-one percent of organizations permit their employees and medical staff to use their own medical devices, such as smartphones and tablet computers, to connect with the organizations’ networks or enterprise systems. On average a little over half (51 percent) of employees bring their devices to the facility, yet 46 percent of respondents say their organizations do not do anything to secure the devices. “We were shocked by that,” Ponemon says, noting that 54 percent of respondents are not confident that the personally-owned mobile devices are secure. This year, 18 percent of respondents said a breach occurred due to lost or stolen mobile devices, more than double last year’s number (7 percent).
Another weak link in the security chain is unsecured medical devices—such as wireless heart pumps and insulin pumps—that contain sensitive patient information. Often these devices use commercial PCs and have wireless connections that put them at risk to cyber attacks. Of the respondents, 69 percent said they do not secure FDA-approved medical devices.
In a revealing response about the uptake of technology, many organizations have embraced the cloud despite their concerns over data security. While 62 percent of the organizations indicated they use moderate or heavy use of cloud services, (only 7 percent said they do not use cloud serves), 47 percent of respondents said they are not confident that data on the cloud is secure, and 23 percent are somewhat confident.
Concerns over security may be holding back the growth of health information exchange (HIE). Only 28 percent of respondents said their organization was a member and another 17 percent said they will become a member. More than a third (35 percent) said they do not plan to become a member of an HIE, possibly reflecting the fact that two-thirds of respondents said they were not confident or only somewhat confident in the security and privacy of patient data.
Some Bright Spots in a Gloomy Picture
More respondents (40 percent) this year said they had the confidence to prevent or detect all data losses or thefts in their organizations, up from 31 percent the year before. This could be because more organizations are relying less on ad hoc processes and more on policies and procedures and a combination of manual procedures and security technologies.
Compliance efforts have also had a positive impact. Thirty-six percent of respondents agree that recent Office of Civil Rights Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical health (HITECH) Act audits and fines have affected their organization’s patent data privacy and security policies.
The primary activity by healthcare organizations has been to comply with HIPAA privacy and security awareness training of all staff; this is followed by 49 percent that monitor or vet third parties, including business associates. Annual risk assessments are done by fewer than half (48 percent) of the organizations. According to the report, employee training has not been particularly effective in stemming data breaches.
More than half (52 percent) of respondents agree that they have sufficient policies and procedures to prevent or quickly detect unauthorized patient data access, loss or theft, up from 41 percent in 2010, which can possibly be attributed to better compliance. On the other hand, only 27 percent said they have sufficient resources and only 34 percent said they have a sufficient security budget.
While not part of this particular report, Ponemon also notes that data encryption, which is the focus of a separate survey, is seeing a higher adoption rate by healthcare organizations.
Tips for Dealing with the Problem
Rick Kam, president and co-founder of ID Experts, notes that three out of five healthcare organizations simply do not have the budget to address threats to protected health information of patients. The basic problem, he says, is that instead of dealing with the problem on a daily, ongoing basis, they are dealing with it as a catastrophic event. Organizations need to incorporate management approaches and tools to defend themselves against issues that are opening them up to vulnerabilities, he says.
He has five recommendations for healthcare organizations:
- Operationalize pre-breach and post-breach responses, including incident assessment and incident response processes.
- Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security.
- Conduct combined privacy and security compliance assessments annually.
- Update policies and procedures to include mobile devices and the cloud.
- Ensure that the incident response plan covers business associates, partners, and cyber insurance.