4 Recommendations to Fight Rising Prevalence, Cost of Hospital Data Breaches
Innovation and emerging technologies in information technology are both exciting and challenging for the healthcare field. These advances create efficiencies, eliminate waste and improve much-needed access to information. However, new concerns about security and privacy arise as these advances are implemented and utilized.
The uphill battle healthcare organizations face in stopping data breaches is evidenced in the "Third Annual Benchmark Study on Patient Privacy & Data Security," conducted independently by Ponemon Institute and sponsored by ID Experts.
According to Larry Ponemon, chairman and founder of Ponemon Institute, the study takes a deeper dive into healthcare organizations' struggle to deal with privacy and security data risks. "[Ponemon Institute] not only completes a survey, but observes what the organizations do. The research also includes conversations with members of the organization," says Mr. Ponemon. "This is the third time we are doing the study, and unfortunately, things seem to be getting worse."
Approximately 80 healthcare organizations participated in the research. Although the sample is representative, the quality of the data is influenced by the degree to which the list is representative of all covered entities and business associates in the United States. Regardless, the information can be useful in informing hospitals and health systems as to where they stand in reference to patient data protection.
Here are five key findings from the research. Additional information and findings from the study can be found here.
1. The frequency of data breaches per organization is rising. Nearly all (94 percent) of the hospitals surveyed in the study have had at least one data breach in the last two years. Forty-five percent report that they have had more than five incidents.
"A data breach does not always mean it was a monster event where hundreds of thousands of records were lost. A data breach could involve just a few patient records. However, there does seem to be more frequent activity regardless of the breach size," says Mr. Ponemon.
2. Data breaches have severe economic consequences. Data breaches are costing the U.S. healthcare industry an average of $7 billion annually. The economic impact of one or more data breaches for healthcare organizations in the study ranged from $10,000 to more than $1 million over a two-year period. According to Mr. Ponemon, Ponemon Institute uses an extrapolation method to estimate the economic impact of data breaches. Based upon the ranges provided by respondents, the average economic impact of a data breach is $2.4 million per organization, which is higher than in 2010. According to the Mr. Ponemon, the amount increased about 15 percent.
3. Patients and their information are at risk for medical identity theft. According to Mr. Ponemon, a majority of organizations are seeing effects of data breaches in patient medical identity theft. More than half of organizations (52 percent) reported experiencing medical identity theft for a patient. Thirty-nine percent said it resulted in inaccuracies in the patient's medical record, and 26 percent said it affected the patient's medical treatment. In addition, 54 percent of organizations admit to having little or no confidence they can detect all patient data loss or theft at the organization.
"The biggest surprise was that organizations are just now waking up to medical identity theft. It has existed for quite a while. It is a big problem, and now we are seeing organizations realize that they may have a responsibility to detect," says Mr. Ponemon.
4. Trends in mobile health and "bring your own device" present major risks. According to Mr. Ponemon, one of the biggest issues revealed in the study was the role mobile technology — devices most likely to threaten data — play in data breaches, especially with a drastic increase in the prevalence of smart phones and tablets. In 2010, 7 percent of hospitals reported that their physicians and staff used tablets. This year, hospitals reported 18 percent of their staff use tablets. According to Mr. Ponemon, the use of smart phones has seen similar increases.
Eighty-one percent of organizations reported that they permit their employees to use their own mobile devices at work, and 81 percent of hospitals know their staff use their personal devices to connect to networks and enterprise systems. However, 46 percent of hospitals admitted to doing nothing to ensure those devices are secure.
5. Organizations embrace the cloud despite uncertainty. Ninety-one percent of hospitals reported using some form of cloud services, but 47 percent of hospitals admitted a lack of confidence in the data security among cloud providers. Twenty-six percent of hospitals reported storing patient information in the cloud, 30 percent store billing information in the cloud and 34 percent store administrative information in the cloud. The study findings infer that healthcare providers may be storing data in a cloud server that they are not entirely confident is secure.
"How do we know if the cloud system or cloud administration is handling data in a secure way? Providers may not fully understand the cloud, so they are uncertain and not confident in its security," says Mr. Ponemon.
What can hospitals and providers do?
Although the healthcare industry's problem with data breaches may get worse before its gets better, hospitals and providers can be active in strengthening their arsenal against security threats.
"The trend continues: data breaches are increasing, patient information is at risk, yet healthcare organizations continue to follow the same processes," says Rick Kam, president and co-founder of ID Experts. "Clearly, in order for the trend to shift, organizations need to commit to this problem and make significant changes. Otherwise, as the data indicates, they will be functioning in continual operational disruption."
Here, Mr. Kam offers four recommendations that hospitals and providers may use to make significant changes in their data breach prevention methods.
1. Operationalize pre-breach and post-breach processes. According to Mr. Kam, executives need to operational their breach responses by incorporating elements of an incident response plan into daily processes and business practices. "Even something as small as installing protection appliances into the network so someone is signaled when an employee sends healthcare data outside the network will be more effective," says Mr. Kam.
Many healthcare executives still view data breaches as catastrophic events rather than potentially daily occurrences. Not every data breach involves thousands of records. According to Mr. Kam, until executives start preparing for smaller data breaches by incorporating processes to catch small breaches, they will continue to deal with security risks.
"[Executives] need to look at where the vector of risks is coming from. Larry mentioned BYOD and cloud computing. [Executives] really need to evaluate what is changing and put in the processes and procedures to help the hospital deal with this on daily basis," says Mr. Kam.
2. Restructure the information security function. According to Mr. Kam, hospitals should restructure their information security and privacy functions to introduce more accountability in reporting.
"A hospital's board decides what is important for governance and efficiency across the hospital. If reporting on security and privacy goes directly to the board, it will symbolize and reinforce commitment to data privacy and security," says Mr. Kam.
3. Update policies and procedures to include mobile devices and cloud services. The Ponemon Institute's study clearly demonstrates the growing prevalence of mobile devices, especially BYOD, as well as a growing use of cloud systems despite security concerns. "The amount of data breaches continues to increase. However, the lack of focus and resource allocation by executives to protect the information remains the same," says Mr. Kam.
Mr. Kam suggests that organizations update policies and procedures to include risk mitigation strategies and tools to detect and protect information used and shared via mHealth and cloud services.
4. Ensure the incident response plan covers business associates and partners. In the past, it was important to have a response plan covering the hospital or health system, but now it is necessary that the plan covers business associates, partners and cyber insurance as well.
"Larry mentioned that data breach frequency is up to about 94 percent [of hospitals]. Organizations are seeing this risk occur, but they are not changing how they deal with it," says Mr. Kam. "Hospitals share data with business associates and other organizations daily. It is those transactions that need to be secured. The incident response plan needs to account for those exchanges."
While technology is a positive force in healthcare from a cost point-of-view, it is also disruptive to the privacy and security of patients. "My gut tells me that things may get worse before they get better. Technology has a really important place in healthcare, but it also creates a risk and likelihood of data loss," says Mr. Ponemon. It is important for hospitals and health systems to be aware of emerging technologies — the new risks and threats they introduce in addition to what they offer in health services — so they can amend policies and procedures accordingly. Data breaches are no longer a question of when but if, so there is no such thing as too much preparation.
More Articles on Data Breaches:
© Copyright ASC COMMUNICATIONS 2012. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.
New From Becker's Hospital CIO