Human error remains the biggest threat to healthcare data privacy, according to the latest study on patient privacy and data security by the Ponemon Institute. Healthcare organizations also continue to struggle with increasingly complex federal and state privacy and security regulations. And healthcare employees are contributing to higher breach risks with their unsecured personal devices.
The annual study asked a sample of healthcare providers a wide range of topics to benchmark the current state of threats to patient data security and privacy. While the total number of data breaches declined slightly from an average of 3,000 records to 2,150 records lost or stolen per breach, 90% of respondents reported at least one data breach over the past two years; 38% reported more than five incidents in the same period.
The key findings include:
Employee negligence is considered the biggest security risk. Seventy-five percent of respondents say human error is the biggest threat to data security, followed by using public cloud services (41%), lack of mobile device security (40%) and malicious cyber attacks (39%). Actual incidents of data breaches were the result of lost or stolen computing devices (49%), followed by employee mistakes or unintentional actions (46%) and third-party snafus (41%).
Criminal attacks on healthcare organizations up 100% since 2010. Breaches caused by malicious attacks accounted for 40% of all incidents, representing a dramatic 100% increase since Ponemon's first study four years ago.
Healthcare organizations improve ability to control data breach costs. The average cost of a data breach for an organization is about $2 million over a two-year period. This is down from $2.4 million in 2012. The estimated annual cost to the healthcare industry from data breaches is about $5.6 billion.
BYOD usage continues to rise. Despite the concerns about employees’ carelessness and misuse of mobile devices, 88% of organizations allow employees and medical staff to use their own mobile devices (such as smart phones or tablets) to connect to their organization’s networks or email systems. Few require employees to take security precautions such as installing anti-virus/anti-malware software on mobile devices (23%), scanning for viruses or malware prior to connecting (22%) and scanning devices and removing all mobile apps that may present a security threat prior to connecting (14%).
ACA increases risk to patient privacy and information security. According to 69% of respondents, the Affordable Care Act (ACA) significantly increases or increases the risk to patient privacy and security due to the vulnerability of insecure websites, databases and health information exchanges.
Confidence in the security of Health Information Exchanges (HIEs) remains low. While the number of organizations joining an HIE increased slightly from 28% to 32%, one-third have no plans to become an HIE member. Most cite a lack of confidence — 32% are only somewhat confident and 40% are not at all confident — in the HIEs' abilities to protect patient data.
ACO participation increases data breach risks. Fifty-one percent of organizations say they are part of an Accountable Care Organization (ACO); 66% say that the exchange of patient health information among participants increases risks to patient privacy and security.
Heavy use of cloud services increases. Although the use of public cloud services is seen as a serious threat, 40% of respondents — up from 32% last year —use the cloud on a regular basis for backup and storage, file-sharing applications, business applications and document sharing and collaboration.
Third parties and business associates are not trusted with sensitive patient information. Only 30% of healthcare organizations surveyed are very confident or confident that their business associates are appropriately safeguarding patient data as required under the Health Insurance Portability and Accountability (HIPAA) Omnibus Rule. Respondents were most concerned about IT service providers, claims processors and benefits management.
Half of healthcare organizations comply with the post-incident risk assessment required by Omnibus Rule. Only 51% of respondents say they are in full compliance, while 49% report they are either not compliant, or only partially compliant; 39% say their incident assessment process is ineffective.
Most healthcare organizations aren’t complying with AOD requirements. Less than half of the organizations report they are in full compliance (25%) or nearly in full compliance (23%) with the Accounting of Disclosures requirement. Organizations that do comply use an ad-hoc process (31%), a paper-based process or internally developed tool (27%), a software-based process or internally developed tool (27%) or a software-based process or third-party developed tool (15%).
Organizations rely heavily on policies and procedures. Fifty-five percent of organizations have implemented policies and procedures to prevent or detect data breaches, but most lack the money, technology and other resources to appropriately safeguard patient information. Furthermore, only 46% of organizations have personnel who are knowledgeable about data breach notification laws.
Ponemon researchers conclude that healthcare professionals must rely on more than policies and procedures to address both internal and external threats. Organizations need to give greater attention to technologies that secure mobile devices, protect sensitive data stored in the cloud and assess areas of vulnerability to attacks from malicious outsiders. Finally, given the level of risk posed by negligent employees, training and awareness programs should be conducted at every level of the organization.
Implementing the necessary measures to effectively protect patient data security and privacy is a big challenge, but one that is critical to the future of the healthcare industry.