A new study from the Ponemon Institute shows that healthcare providers have made progress in implementing protected health information (PHI) security policies and processes. According to the Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute, slightly more than half (55 percent) of organizations surveyed agree they have the policies and procedures that effectively prevent or quickly detect unauthorized Signs of Improvement
While the total number of data breaches has declined slightly over previous years, 90 percent of healthcare organizations are still experiencing breaches, and 38 percent report that they have had more than five incidents in the last two years (a slight decrease from last year's report, in which 45 percent reported more than five breaches). Ponemon calculates the average economic impact of reported data breaches over the past two years at $2.0 million per organization, however data breaches are still costing healthcare organizations an estimated $5.6 billion annually.
There are hopeful signs, but many organizations are still struggling with incident management, compliance with the myriad of regulations, and how to cope with changes in the security environment. Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, sums up the situation: "Healthcare organizations are getting better at implementing security measures, but attacks and threats are getting stronger and more persistent. The combination of insider and outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality."
Shining Light on the Blind Spots
The shifting healthcare environment creates security blind spots for healthcare organizations: they know there will be threats from business associates, mobile devices, new healthcare exchanges, etc., but they don't have the visibility to avoid those threats. The new Ponemon study outlines several key areas of concern.
Employee negligence: As in past Ponemon surveys, human error emerged this year as the biggest vulnerability in PHI security. Although the majority of surveyed organizations expressed confidence in their breach detection policies and procedures, 75 percent reported employee negligence as their biggest worry, and insider negligence was the root of most data breaches reported in the study. Exacerbating concerns about employee negligence is the use of insecure mobile devices: 88 percent of organizations permit employees and medical staff to use their own mobile devices to connect to the organization's networks or enterprise systems, even though more than half of organizations are not confident that employees' mobile devices are secure, and 38 percent don't take steps to secure the devices or prevent them from accessing sensitive information.
Security gaps with business associates: Healthcare organizations are increasingly reliant on business associates (BAs) for IT services, claims processing, benefits management, and other services, yet most don't trust their third parties or business associates with sensitive patient information. BAs have access to patient information, but many are still struggling to comply with the HIPAA Final Rule. Seventy-three percent of organizations surveyed by Ponemon are somewhat confident (33 percent) or not confident (40 percent) that their business associates would be able to detect, perform an incident risk assessment, and notify the organization in the event of a data breach incident as required under the business associate agreement. Only 30 percent are confident that their business associates are appropriately safeguarding patient data as required under the HIPAA Final Rule.
Evolving criminal threats: Dr. Larry Ponemon says that the most sobering finding of the study is the rise in criminal activity directed against PHI: "The latest trend we are seeing is the uptick in criminal attacks on hospitals, which have increased a staggering 100 percent since the first study four years ago. As millions of new patients enter the U.S. healthcare system under the Affordable Care Act, patient records have become a smorgasbord for criminals." This year, 40 percent of organizations surveyed report criminal attacks to PHI security, as opposed to 20 percent in 2010, a 100 percent increase. Cybercriminals are constantly changing and revising their tactics, and staying ahead of the criminal threat is a major challenge for healthcare organizations.
New vulnerabilities under the Affordable Care Act: The Affordable Care Act promotes the use of electronic medical records as a means to lower healthcare costs, but nearly 70 percent of respondents in the Ponemon survey believe that it has increased the risk to millions of patients due to inadequate security. The primary concerns include insecure exchange of patient information between healthcare providers and government, patient data on insecure databases, and patient registration on insecure websites. Survey participants also had strong reservations about the security of Health Information Exchanges (HIEs): a third said they don't plan to participate in HIEs because they are not confident enough in the security and privacy of patient data shared on the exchanges.
A Bucket of Trouble
There are glimmers of good news in this year's Ponemon report, but this is no time for any healthcare organization to rest on its laurels. "It's been one year since the HIPAA Final Rule was enforced and we have seen healthcare organizations make some good progress towards complying with federal privacy and security guidelines and better safeguarding patient information. However, because the threats and risks are shifting, organizations are in a constant state of catch up," Rick Kam, president and co-founder of ID Experts, explains. "It's like a bucket filled with water and holes. The water keeps spurting out, and every time you go to patch a hole, a new hole forms. The whole process of patching old and new holes is overwhelming."
Right now, healthcare organizations need to double down on their efforts to assess risks, achieve consistency in security processes and procedures, and to prepare for emerging threats. This shift in focus from an incident-based process to a culture of compliance is what's necessary to get ahead of the shifting sands of security risks. According to Ponemon, organizations should look for opportunities to instill business operations that include tools, software and processes that will both automate and streamline the practice of managing the disclosure of regulated data.