In the realm of privacy and security, heeding snooping employees and encrypting portable devices isn't enough in healthcare these days. Criminal attacks on hospitals are on a huge upward trend, with a whopping 100 percent reported increase just from four years ago. That’s according to a new Ponemon Institute published this March.

This year, 40 percent of healthcare organizations have reported a criminal data attack. And, business associates who are not yet compliant with HIPAA in addition to those employees given the green light to use their unsecured devices certainly aren’t helping those numbers, say Ponemon officials.

The news isn't all bad, however. Data breaches have actually slightly declined in recent years, but it's still no number meriting celebration, as breaches continue to cost the industry a pretty penny, $5.6 billion annually to be exact.

"It suggests healthcare organizations are making modest progress on managing sensitive patient information," said Larry Ponemon, chairman and founder of the Ponemon Institute, in an interview with Healthcare IT News. "I want to underscore the word 'modest.'"

Breaking it down by organization, healthcare groups who experience a data breach can expect to pay out some $2 million over a two-year period.

Moreover, an overwhelming 90 percent of survey respondents reported at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period, officials pointed out.

Employee negligence, such as losing laptops, tops the list for root causes. However, Ponemon said the latest trend has been the uptick in criminal attacks at hospitals. “The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality," he said in a press statement.

Additional findings include some 75 percent of health groups cited employee negligence as the top security concern, as they increase exposure to sensitive data by the uptick in personal unsecured devices. Bring your own device policies, officials say, also present new risks, as personal devices have become more difficult to manage.

In fact, 88 percent of organizations permit employees to use their own mobile devices and connect to the organization's networks or enterprise systems such as email, with access to patient information.

Similar to last year's study, more than 50 percent of industry groups are not confident the personally owned mobile devices are secure. Yet, 38 percent of organizations fail to take steps ensuring these devices are secure.

Report findings also underscore healthcare groups' growing distrust in their business associates relating to protecting PHI. Some 73 percent of organizations are not confident or only slightly confident their third parties are able to detect a security incident, perform an incident risk assessment and notify if a data breach occurs. According to those surveyed, the business associates who present the greatest risks to patient information are IT service providers, claims processors and benefits management.

Doing It Right

Despite the threats data breaches pose, some organizations have worked diligently to better protect patient information, as report findings suggest, data breach numbers are actually slightly down this year.

John Halamka, MD, CIO of Beth Israel Deaconess Medical Center in Boston, has been ahead of the game in the realm of data privacy and security for a long time now, implementing clear policies surrounding BYOD and device encryption.

Part of his success came from realizing at the end of the day "a CIO has limited authority but infinite accountability," Halamka told Healthcare IT News. Then it's a matter of asking, "How do you reduce risk to the point where government regulators and, more importantly, patients will say, 'what you have done is reasonable.'"

Halamka, who oversees some 18,000 user accounts, 1,600 iPhones and 600 iPads, spends some 20 percent of his day on risk, compliance and governance. "Much of what I have to do is meet with my business owners and ask, 'what are the risks? Reputational risks? Patient privacy breach risks? Data integrity risks? And then in a multi-year way put in risk mitigations," he explained. "We're never going to be perfect," he added, "but we can put in place, what I call, a 'multilayer defense.’”

Rick Kam, president of information security company ID Experts, who sponsored the Ponemon report, said where he sees the biggest oversights are when the clinical and IT staff get HIPAA or compliance training, but the upper echelons of hospitals and health systems are left out of the loop, by choice. "Where we're seeing, 'we don't need those,' is at the executive and the board levels where there's really a lack of awareness above," he said to Healthcare IT News, and including them is really one of the basics.