As millions of new patients enter the US health care system under the Affordable Care Act, patient records have become a smorgasbord for criminals. The "Fourth Annual Benchmark Study on Patient Privacy and Data Security" by Ponemon Institute, sponsored by ID Experts, reveals new security and privacy threats to hospitals and the patient records they manage. One of the key threats is the unproven security in the health insurance marketplaces, created as a result of the Affordable Care Act. According to the report, other top threats include criminal attacks, employee negligence, unsecured mobile devices (smartphones, laptops, and tablets), and third parties—causing organizations to scramble.
Cyber Thieves Are Following the Money
Patient records are vulnerable to both insider and outsider threats because of the value of the information to criminals. These records contain personally identifiable information and protected health information. When combined, this information represents highly sensitive "regulated data," which is tightly controlled by federal laws, including HIPAA and GLBA, as well as numerous state breach notification laws.
"Employee negligence, such as a lost laptop, continues to be at the root of most data breaches in this study. However, the latest trend we are seeing is the uptick in criminal attacks on hospitals, which have increased a staggering 100% since the first study four years ago," says Larry Ponemon, PhD, chairman and founder of the Ponemon Institute. "The combination of insider-outsider threats presents a multilevel challenge, and health care organizations are lacking the resources to address this reality."
Key findings include the following:
• Data breaches have declined slightly, though remain high. Data breaches now cost health care organizations $5.6 billion annually, slightly lower than past years. Ninety percent of respondents had at least one data breach over the past two years, while 38% have had more than five data breaches in the same time period. While the total number of data breaches in health care has declined slightly—indicating that health care organizations are making some progress—the threats to patient data remain high. Many organizations remain overwhelmed and struggle with incident management and compliance with the myriad of regulations.
• Affordable Care Act increases risks to millions of patients and their information. Nearly 70% of respondents believe the Affordable Care Act has increased or significantly increased the risk to millions of patients, because of inadequate security. The concerns include insecure exchanges between health care providers and government (75%), insecure databases (65%), and insecure websites for patient registration (63%). One-third of organizations surveyed say they do not plan to become a member of a health information exchange (HIE); 72% are not confident or only somewhat confident in the security and privacy of patient data shared on HIEs.
• Negligent employees and unsecured devices in the workplace remain a big security threat. Seventy-five percent of organizations cite employee negligence as their biggest security worry, as they increase exposure to sensitive data by the growing use of their personal unsecured devices (smartphones, laptops, and tablets). Bring your own device is not a new phenomenon but is a new risk, as personal devices have become harder to manage, control, and secure. In fact, 88% of organizations permit employees and medical staff to use their own mobile devices to connect to their organization's networks or enterprise systems such as e-mail, with access to patient information. Similar to last year's study, more than one-half of organizations are not confident that the personally owned mobile devices are secure. Yet, 38% of organizations don't take steps to ensure these devices are secure or prevent them from accessing sensitive information.
• Health care organizations don't trust their third parties (business associates) with sensitive patient information. Business associates are third-party companies that work with health care organizations. They have access to patient information and are still struggling to comply with the HIPAA Final Rule, a federal law intended to safeguard sensitive information. Seventy-three percent of organizations are not confident or only slightly confident that their third parties are able to detect a security incident, perform an incident risk assessment, and notify them in the event of a data breach. Only 30% of organizations are confident that their business associates are appropriately safeguarding patient information as required by the federal HIPAA Final Rule. According to those surveyed, the business associates that present the greatest risks to patient information are IT service providers, claims processors, and benefits management.
Patching Holes Is Overwhelming for Organizations
"It's been a year since the HIPAA Final Rule was issued, and we have seen health care organizations make some good progress towards complying with federal privacy and security guidelines and better safeguarding patient information. However, because the threats and risks are shifting, organizations are in a constant state of catch up," says Rick Kam, CIPP/US, president and cofounder of ID Experts. "It's like a bucket filled with water, with holes in it. The water keeps spurting out, and every time you patch one hole, a new hole forms. The process of patching old and new holes is overwhelming, and this new data validates that issue."
Sources: ID Experts and Ponemon Institute