Criminal Attacks on Healthcare Organizations Increase 100 Percent

March 12, 2014

Newest Ponemon Study Outlines Top Security Threats to Patient Information

TRAVERSE CITY, Mich. and PORTLAND, Ore., March 12, 2014 /PRNewswire/ — As millions of new patients enter the U.S. healthcare system under the Affordable Care Act, patient records have become a smorgasbord for criminals. The Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute, sponsored by ID Experts®, reveals new security and privacy threats to hospitals and the patient records they manage. One of the key threats is the unproven security in the health insurance marketplaces, created as a result of the Affordable Care Act. According to the report, other top threats include: criminal attacks, employee negligence, unsecured mobile devices (smartphones, laptops, and tablets), and third parties–causing organizations to scramble. For a free copy of the Fourth Annual Benchmark Study on Patient Privacy and Data Security, visit www2.idexpertscorp.com/ponemon.

Cyber Thieves are Following the Money

Patient records are vulnerable to both insider and outsider threats because of the value of the information to criminals. These records contain personally identifiable information (PII) and protected health information (PHI). When combined, this information represents highly sensitive “regulated data,” which is tightly controlled by federal laws, including HIPAA and GLBA, as well as numerous state breach notification laws.

“Employee negligence, such as a lost laptop, continues to be at the root of most data breaches in this study. However, the latest trend we are seeing is the uptick in criminal attacks on hospitals, which have increased a staggering 100 percent since the first study four years ago,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality.”

Key Findings of the Research

    --  Data breaches have declined slightly, though remain high.Data breaches
        now cost healthcare organizations $5.6 billion annually, slightly lower
        than past years. Ninety percent of respondents had at least one data
        breach over the past two years, while 38 percent have had more than five
        data breaches in the same time period. While the total number of data
        breaches in healthcare has declined slightly--indicating that healthcare
        organizations are making some progress--the threats to patient data
        remain high. Many organizations remain overwhelmed and struggle with
        incident management and compliance with the myriad of regulations.

    --  Affordable Care Act increases risks to millions of patients and their
        information.Nearly 70 percent of respondents believe the Affordable Care
        Act has increased or significantly increased the risk to millions of
        patients, because of inadequate security. The concerns include insecure
        exchanges between healthcare providers and government (75 percent),
        insecure databases (65 percent), and insecure websites for patient
        registration (63 percent). One-third of organizations surveyed say they
        do not plan to become a member of a Health Information Exchange (HIE);
        72 percent are not confident or only somewhat confident in the security
        and privacy of patient data shared on HIEs.

    --  Negligent employees and unsecured devices in the workplace remain a big
        security threat. Seventy-five percent of organizations cite employee
        negligence as their biggest security worry, as they increase exposure to
        sensitive data by the growing use of their personal unsecured devices
        (smartphones, laptops and tablets). Bring Your Own Device (BYOD) is not
        a new phenomenon but is a new risk, as personal devices have become
        harder to manage, control, and secure. In fact, 88 percent of
        organizations permit employees and medical staff to use their own mobile
        devices to connect to their organization's networks or enterprise
        systems such as email, with access to patient information. Similar to
        last year's study, more than half of organizations are not confident
        that the personally owned mobile devices are secure. Yet, 38 percent of
        organizations don't take steps to ensure these devices are secure or
        prevent them from accessing sensitive information.

    --  Healthcare organizations don't trust their third parties (Business
        Associates) with sensitive patient information."Business Associates" are
        third-party companies that work with healthcare organizations. They have
        access to patient information and are still struggling to comply with
        the HIPAA Final Rule, a federal law intended to safeguard sensitive
        information. Seventy-three percent of organizations are not confident or
        only slightly confident that their third parties are able to detect a
        security incident, perform an incident risk assessment and notify them
        in the event of a data breach. Only 30 percent of organizations are
        confident that their business associates are appropriately safeguarding
        patient information as required by the federal HIPAA Final Rule.
        According to those surveyed, the Business Associates that present the
        greatest risks to patient information are IT service providers, claims
        processors, and benefits management.

Patching Holes is Overwhelming for Organizations

“It’s been a year since the HIPAA Final Rule was issued, and we have seen healthcare organizations make some good progress towards complying with federal privacy and security guidelines and better safeguarding patient information. However, because the threats and risks are shifting, organizations are in a constant state of catch up,” said Rick Kam, CIPP/US, president and co-founder of ID Experts. “It’s like a bucket filled with water, with holes in it. The water keeps spurting out, and every time you patch one hole, a new hole forms. The process of patching old and new holes is overwhelming, and this new data validates that issue.”

Research Findings Further Discussed: Press Conference Call, Webinar, Conference

A press conference call to outline the key findings will take place today, Wednesday, March 12, 2014, at 10:00 a.m. PT/1:00 p.m. ET. To participate, call 877-668-4490; Attendee code: 70828231. A free webinar, ACA Impacts on Patient Data Security–with Dr. Larry Ponemon, Ponemon Institute, and Rick Kam, CIPP/US, ID Experts–will be held Tuesday, April 8, 2014, at 11:00 a.m./2:00 p.m. ET. To register, visit http://bit.ly/1ih2fqi. Additionally, the second annual PHI Protection Network Conference will be held Thursday, April 10, 2014, in Anaheim, Calif. To register for Adopting Best Practices and Protecting Patients, visit phiprotection.org.

About the Study

The Fourth Annual Benchmark Study on Patient Privacy and Data Security utilized in-depth, field-based research involving interviews with senior-level personnel at healthcare providers to collect information on the actual data loss and data theft experiences at their organizations. This benchmark research, in contrast to a traditional survey-based approach, enables researchers to collect both the qualitative and quantitative data necessary to understand the current status of patient privacy and data security of those who participated in the study.

About Ponemon Institute

Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About ID Experts

ID Experts provides software and services for managing the disclosure and breaches of regulated data. Leading organizations in healthcare, insurance, financial services, universities, higher education, and government rely on ID Experts’ patented RADAR(TM) data incident management software and data breach response services for managing risks. Exclusively endorsed by the American Hospital Association. ID Experts is an advocate for privacy and a leading contributor to legislation and industry organizations that focus on the protection of PHI and PII. On the web: http://www2.idexpertscorp.com/.

SOURCE ID Experts; Ponemon Institute

Source: PR Newswire

comments powered by Disqus