First posted on Christina’s Considerations on 12/6/2012
The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute and ID Experts, has been released and reports that healthcare organizations face a huge challenge in stopping data breaches.
- 94% of healthcare organizations surveyed suffered at least one data breach
- 45% of organizations experienced more than five data breaches during the past two years
- Astonishingly, 69% off organizations still have not secure medical devices—such as mammogram imaging and insulin pumps (IT and Biomed have to talk!)
- The cost to the industry could average $7 billion annually.
Most organizations surveyed say they have insufficient resources to prevent and detect data breaches, but consider the alternatives. Patients are at increased risk for medical identity theft and their PHI and privacy could be violated as mobile and cloud technology becomes pervasive.
Change is needed and recommendations include:
- Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes
- Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security
- Conduct combined privacy and security compliance assessments annually
- Update policies and procedures to include mobile devices and cloud
- Ensure the Incident Response Plan (IRP) covers business associates, partners, cyber insurance
- Information breached is largely medical files and billing and insurance records. According to the research, 54% of organizations have little or no confidence that they can detect all patient data loss or theft. Based on the experience of the 80 healthcare organizations participating in this research, the resulting cost to the U.S. healthcare industry could be $6.87 billion, up from 2011. The average impact of a data breach is $1.2 million per organization.
- The causes of data breach cited were loss of equipment (46%), employee errors (42%), third-party snafu (42%), criminal attack (33 %), and technology glitches (31%). Cases of medical identity theft occurred at 52% of the organizations, and it lead to inaccuracies in the patient’s medical record (39%) and/or affected the patient’s medical treatment (26%).
- Mobile devices in the workplace pose threats to patients’ PHI. Employees are permitted to use their own mobile devices—commonly called Bring Your Own Device (BYOD)—often to access organization data (81%), yet organizations are not confident that these personally owned mobile devices are secure (54%). Hospitals surveyed are using cloud-based services (91%) to store patient records, patient billing information, and financial information, but 47% percent lack confidence in the data security of the cloud.
- This past year, 36% of healthcare organizations made improvements in their privacy and security programs, in response to the threat of audits conducted by the U.S. Department of Health and Human Services Office for Civil Rights. While 48% of organizations are now conducing security risk assessments, only 16% are conducting privacy risk assessments. Organizations still have insufficient resources to prevent and detect data breaches (73%) and/or don’t have controls to prevent and/or quickly detect medical identity theft (67%).
Now that I have an headache, I think I’ll stop here.