Health care firms are lagging far behind other industries with information security initiatives, according to a new study, which found many organizations suffering multiple data breaches, exposing confidential patient information, and ultimately failing to implement many basic security measures.
In a study of 80 health care organizations conducted by the Ponemon Institute, more than 94% experienced one health care privacy or security breach in the last two years, and 45% indicated having to address more than five breaches. The Third Annual Benchmark Study on Patient Privacy & Data Security, sponsored by Portland, Ore.-based data breach prevention and response consultancy ID Experts, represented mainly large health care organizations, with approximately 58% representing private facilities. Forty percent of participating health care providers indicated having a 301- to 600-bed capacity, while 36% have 101 to 300 beds.
Larry Ponemonchairman and founder, Ponemon Institute
Sensitive patient data, such as Social Security numbers, is leaking primarily through employee negligence, said Larry Ponemon, chairman and founder of the Ponemon Institute. The survey found that 46% of those surveyed indicated a lost or stolen computing device was the primary cause of breaches. Ponemon said lost laptops, USB sticks and mobile devices and tablets are accounting for small, but significant lapses in data security that can be addressed with basic security controls and end-user education.
"Things are not getting better, they're generally getting worse for these health care organizations," Ponemon said.
Employees are also getting around some restrictions, sending email without encrypting sensitive information or using personal email for business matters, ignoring policies to work remotely. The lapses are exposing patient data and there's no way to tell how much of the data leakage is resulting in identity theft and health care fraud, an issue of serious concern to the health care industry, Ponemon said.
Health organizations are modernizing systems and slowly moving forward with electronic health care records and other IT initiatives, buoyed by the HITECH Act. HITECH's main objective is to boost technology and promote data exchange between providers. But the costs of hiring IT professionals to manage the systems add up, and some firms are turning to third-party providers. A variety of firms have had to publicly report health care data security breaches.
But adoption of technology can produce new security weaknesses. Forty-two percent of those surveyed indicated that third-party snafus were a significant cause of breaches. Data is being put at risk when information is shared between health care partners. Analytical systems that collect and analyze patient data and third-party firms that conduct additional tests all share patient data, increasing the data leakage risk. Ninety-one percent of hospitals surveyed are using cloud-based services; many use cloud services to store patient records, patient billing information and financial information. Yet, 47% of organizations lack confidence in the data security of the cloud.
"There is this view from the patient, that our record is uniquely ours and we are in charge of who gets to see it," Ponemon said. "That is not true because just like any other industry, information is value, and as a result a lot organizations are not taking the right steps."
The study found fewer cybercriminal attacks leading to a breach. Criminal attacks has seen an increase from 20% in 2010 to 33% this year.
Medical devices containing sensitive patient information are also at risk to an attack. Wireless heart pumps, mammogram imaging and insulin pumps, among other devices, are not being protected by a vast majority of those surveyed. The study found that 69% of organizations do not secure medical devices. "This finding may reflect the possibility that they believe it is the responsibility of the vendor -- not the health care provider -- to protect these devices," according to the study.
Data breach economic impact
Participating organizations in the study experienced an economic impact of data security breaches from less than 10,000 to more than $1 million over a two-year period. Ponemon said his firm estimated that the average economic impact of data breaches over the past two years for the health care organizations represented in this study is $2.4 million.
The impact, however, goes beyond the individual health care organization, Ponemon said. Medical identity theft drives up costs and forces patients to pay higher premiums. Fifty-two percent of organizations reported their health care organizations had one or more incidents of medical identity theft. While only 18% said the theft was a result of a data breach, 32% are unsure. This uncertainty is due in part to the finding that only one-third said they have sufficient controls in place to detect medical identity theft, according to the study.
Recommendations to improve health care data privacy and security
Organizations should consider elevating the chief privacy and security role in the organization to report directly to the board of directors, said Rick Kam, founder and partner at ID Experts. Kam said the organizational change elevates the issue of security across the entire organization, and could begin to change the culture to one that embraces data security.
"Three out of five organizations don't have the budget to appropriately secure patient information," Kam said. "Security officers and CISOs are still doing what they did in years past, and not addressing new threat vectors like cloud and mobile."
Privacy and risk assessments will help determine if additional security controls need to be implemented, or if security policy should be addressed and better communicated. Organizations using a cloud provider should understand that it can be considered a business associated under HIPAA. "Be sure to evaluate your relationship with your cloud provider and sign a business associate agreement if appropriate."