Data attacks on healthcare flying high

March 12, 2014

10:55 AM

In the realm of privacy and security, heeding snooping employees and encrypting portable devices isn't enough in healthcare these days. Criminal attacks on hospitals are on a huge upward trend, with a whopping 100 percent reported increase just from four years ago. That’s according to a new Ponemon Institute study released today.

This year, 40 percent of healthcare organizations have reported a criminal data attack. And, business associates who are not yet compliant with HIPAA in addition to those employees given the green light to use their unsecured devices certainly are not helping these numbers, say Ponemon officials.

[See also: HIPAA data breaches climb 138 percent]

The news isn't all bad, however. Data breaches have actually slightly declined in recent years, but it's still no number meriting celebration, as breaches continue to cost the industry a pretty penny, $5.6 billion annually to be exact.

"It suggests healthcare organizations are making modest progress on managing sensitive patient information," said Larry Ponemon, chairman and founder, Ponemon Institute, in an interview with Healthcare IT News. "I want to underscore the word 'modest.'"

Breaking it down by organization, healthcare groups who experience a data breach can expect to pay out some $2 million over a two-year period. Moreover, an overwhelming 90 percent of survey respondents reported at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period, officials pointed out.

"Employee negligence, such as a lost laptop, continues to be at the root of most data breaches in this study. However, the latest trend we are seeing is the uptick in criminal attacks on hospitals," said Ponemon, in a March 12 press statement. “The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality."

Additional findings include some 75 percent of healthcare organizations cited employee negligence as the top security concern, as they increase exposure to sensitive data by the growing use of their personal unsecured devices. Bring your own device policies, officials say, also present new risks, as personal devices have become harder to manage, control and secure.

In fact, 88 percent of organizations permit employees and medical staff to use their own mobile devices to connect to their organization's networks or enterprise systems such as email, with access to patient information. Similar to last year's study, more than 50 percent of industry groups are not confident the personally owned mobile devices are secure. Yet, 38 percent of organizations fail to take steps ensuring these devices are secure.

[See also: Breach has group using encryption.]

Report findings also underscore healthcare groups' growing distrust in their business associates relating to protecting patients' health information. Some 73 percent of organizations are not confident or only slightly confident that their third parties are able to detect a security incident, perform an incident risk assessment and notify them in the event of a data breach. According to those surveyed, the business associates who present the greatest risks to patient information are IT service providers, claims processors and benefits management.

DOING IT RIGHT

Despite the threats data breaches pose, some organizations have worked diligently to better protect patient information, as report findings suggest, data breach numbers are actually slightly down this year.

John Halamka, MD, CIO of Beth Israel Deaconess Medical Center in Boston, has been ahead of the game in the realm of data privacy and security for a long time now, implementing clear policies surrounding BYOD and device encryption.

Part of his success came from realizing at the end of the day "a CIO has limited authority but infinite accountability," Halamka told Healthcare IT News. Then it's a matter of asking, "How do you reduce risk to the point where government regulators and, more importantly, patients will say, 'what you have done is reasonable.'"

Halamka, who oversees some 18,000 user accounts, 1,600 iPhones and 600 iPads, spends some 20 percent of his day on risk, compliance and governance. "Much of what I have to do is meet with my business owners and ask, 'what are the risks? Reputational risks? Patient privacy breach risks? Data integrity risks? And then in a multi-year way put in risk mitigations," he explained. "We're never going to be perfect," he added, "but we can put in place, what I call, a 'multilayer defense.''

Rick Kam, president of information security company ID Experts, who sponsored the Ponemon report, said where he sees the biggest oversights are when the clinical and IT staff get HIPAA or compliance training, but the upper echelons of hospitals and health systems are left out of the loop, by choice. "Where we're seeing, 'we don't need those,' is at the executive and the board levels where there's really a lack of awareness above," he said to Healthcare IT News. And including them is really one of the basics to "what's required in order to essentially identify a risk," he said.

Topics:

Privacy & Security