The Ponemon Institute’s fourth annual Patient Privacy & Data Security Study reviewed new and expanded threats of patient data security and privacy. Based on the results of the study, human error continues to be the biggest source of healthcare data breaches, as 75 percent of organizations view employee negligence as the greatest breach threat.
The sample size of healthcare providers that Ponemon was able to interview rose from 80 in 2012 to 91 this year for a total of about 388 1-on-1 interviews completed over a three-month period concluding in January 2014. The study covered a wide range of topics, including the need to reduce both internal and external threats, HIPAA compliance trends, mobile device security and cloud security. Following negligence, organizations said its biggest security concerns were use of public cloud services (41 percent), mobile device insecurity (40 percent) and cyber attackers (39 percent).
According to the study, 90 percent of respondents said they’ve had at least one data breach over the past two years and 38 percent (down from 45 percent last year) of that 90 percent said that they had more than five data breaches over the two-year period. “Probably the only positive result here that was favorable to the healthcare industry is the reality that data breach frequency and cost declined slightly over the past year when compared to prior years,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in an interview with HealthITSecurity.com. “This may be an indication that organizations are making good but modest progress in managing sensitive patient data.”
The primary causes of breaches were lost or stolen computing devices (49 percent), employee mistakes or unintentional actions (46 percent), and third-party snafus (41 percent). The rate of data breaches with a root cause of either a malicious insider or hacker has doubled from 20 percent of all incidents to 40 percent since the Ponemon Institute first started doing the study 4 years ago. There are some pattern changes, but that’s probably the biggest change of all, said Ponemon.
From an economic standpoint, one or more data breaches for healthcare organizations in this study ranges from less than $10,000 to more than $1 million over a two-year period. And Ponemon calculated that the average economic impact of data breaches over the past two years for the healthcare organizations represented in this study is $2.0 million, down from nearly $400,000 (17 percent) since last year. Part of these figures is that the size of the breaches decreased, as the average number of lost or stolen records per breach went down from 3,000 records to 2,150. At Ponemon’s estimated $188 per record, one breach may cost upwards of $404,200. Overall, Ponemon estimated that these incidents cost the healthcare industry $5.6 billion per year.
Three of the more critical themes in the report were mobile security, cloud security and HIPAA compliance. According to the report, 88 percent of organizations allow employees and medical staff to use BYOD devices, but more than half are not confident that the personally-owned mobile devices or BYOD are secure. Furthermore, few organizations said they mandate anti-virus/anti-malware software to reside on the mobile device prior to connection (23 percent). Even less require scanning devices for viruses and malware prior to connection (22 percent) and scanning devices and removal of all mobile apps that present a security threat prior to connection (14 percent). “We do see that one of the great sources of a data breach is the loss of devices and now there are more devices, such as tablets or smart phones, being used in the workplace,” Ponemon said.
A mere one-third of respondents said they are very confident or confident that information in a public cloud environment is secure. However, 40 percent of organizations say they use the cloud (such as backup and storage, file-sharing applications, business applications and document sharing and collaboration) heavily, up from 32 percent last year.
And 51 percent of respondents said they are in full HIPAA compliance, while 49 percent report they are not compliant or are only partially compliant. Additionally, 39 percent say their incident assessment process is not effective and cite a lack of consistency and inability to scale their process as the primary reasons. Moreover, 73 percent of organizations are either somewhat confident (33 percent) or not confident (40 percent) that their business associates would be able to detect, perform an incident risk assessment and notify your organization in the event of a data breach incident as required under the business associate agreement (BAA). And 44 percent of organizations say the HIPAA Omnibus Rule has affected their programs, while 41 percent say it has not and 15 percent say it is too early to tell.
Rick Kam, president and co-founder of ID Experts, said part of the strategy that HIPAA and HITECH covered entities have been taking is to try to just be compliant without looking at the broader, cross-industry security risks. As some organizations have learned, compliance with HIPAA doesn’t necessarily mean an organization has good security.
Organizations are trying to do things that OCR or HHS suggests, whether it be better training or policies and procedures. Where I think they’re missing the boat, as we’ve seen this in several recent incidents, is that healthcare ecosystems are becoming more and more complex. Instead of relying on telling an employee that, for example, that they’re responsible for protecting PHI, there should be technologies and tools in place, such as encryption, that make it less likely that the employee has to do anything to protect the data.
Other key findings included:
- Respondents in 69 percent of organizations represented believe the ACA significantly increases or increases the risk to patient privacy and security. The primary concerns are insecure exchange of patient information between healthcare providers and government (75 percent of organizations), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent of organizations).
- Fifty-one percent of organizations say they are part of an Accountable Care Organization (ACO) and 66 percent say the risks to patient privacy and security due to the exchange of patient health information among participants has increased.
- 72 percent of respondents say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data share on HIEs.
- Less than half of the organizations in this study report they are in full compliance (25 percent) or nearly in full compliance (23 percent) with the Accounting of Disclosures (AOD) requirement.
- Respondents deemed billing and insurance records and medical files are the most likely to be lost or stolen.