Privacy & Security

Healthcare data security is like a box of chocolates

Some big surprises from a recent security study
By Rick Kam
June 04, 2015
10:51 AM

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon Institute had more surprises than Forrest Gump’s box of chocolates – surprises that were far from palatable. One key finding was that criminal attacks are up 125 percent and are now the leading cause of healthcare data breaches. Other results of the study were just as unsettling:

Surprise 1: Sixty-five percent of healthcare organizations do not offer any protection services for patients whose information has been lost or stolen. With cyber threats on healthcare data mounting, this is unacceptable. Ironically, the Ponemon study also found that 65 percent of healthcare organizations—the same percentage that don’t offer protection services—believe patients whose records have been lost or stolen are more likely to become victims of medical identity theft.

According to the Ponemon Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. Many medical identity theft victims report they have spent an average of almost $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records. Healthcare organizations and business associates must make available medical identity monitoring and identity restoration services to patients whose healthcare records have been exposed.

On the other hand, the majority of people still don’t understand the serious risk of medical identity theft. They pay more attention to their credit score and financial information than they do their insurance EOBs or medical records. They don’t understand that while a credit card can be quickly and easily replaced, their medical identity can take years to be restored. When their records become polluted, patients can be misdiagnosed, mistreated, denied much needed medical services, or billed for services not rendered. Medical identity theft can literally kill you, as ID Experts CEO Bob Gregg has said.

Surprise 2: The average cost of a healthcare data breach has stayed fairly consistent over the past five years – $2.1 million. This is in contrast to the average total cost of data breach in general, which has risen 23 percent over the past two years to $3.79 million, according to another recent Ponemon report, 2015 Cost of Data Breach Study: Global Analysis. Cyber liability insurance to cover notification costs, better options for identity monitoring, and more privacy attorneys offering help should reduce the cost of healthcare data breaches over time.

Healthcare organizations can take proactive steps to reduce the likelihood and impact of a data breach. This means addressing the tactical issues of protecting patient data. According to Dr. Larry Ponemon, founder and chairman of Ponemon Institute, healthcare organizations face “the dual challenge of reducing both the insider risk and the malicious outsider. Both require different approaches that can tax even the most robust IT security budget.” 

According to the Ponemon report, 96 percent of healthcare organizations had a security incident involving lost or stolen devices, and employee negligence is the greatest concern among these organizations. Dr. Ponemon says healthcare providers should create “a more aggressive training and education awareness program, as well as invest in technologies that can safeguard patient data on mobile devices and prevent the exfiltration of sensitive information.”

These training and awareness programs should center around protecting PHI, especially education on how to avoid phishing emails and what to do to ensure data is not disclosed. Healthcare organizations must also collaborate with their business associates to also ensure they have similar programs in place. Additionally, ten strategies from the PHI Protection Network to protect patient data can be found here.

For external risks such as the growing number of criminal attacks, Dr. Ponemon says that healthcare providers must “assess what sensitive data needs to be monitored and protected, and the location of this data.” I would add that board and executive management must recognize that professional hackers are targeting health data and records and, as mentioned earlier, that such attacks are now the leading cause of data breaches in healthcare. This awareness should spur enterprise-wide alignment in addressing cyber threats.

Surprise 3: Too many healthcare organizations take an ad-hoc approach to incident risk assessment. Only 50 percent of healthcare organizations in the study performed the four-factor risk assessment following each security incident, as required by the HIPAA Final Rule. Of that 50 percent, 34 percent used an ad hoc risk assessment process, and 27 percent used a manual process or tool that was developed internally.

This practice is not acceptable. Healthcare organizations now have software tools available to help automate and streamline processes such as risk assessment and data breach response. By supporting consistent and objective analysis of security incidents, providing a central repository for all incident information, and streamlining the documentation and reporting process, these tools can improve outcomes and free an organization’s privacy and security staff to spend more time on prevention.

So far, 2015 has been a bad year for protecting patients and their data. Increasing cyber attacks mean that even more patients and their data will be put in harm’s way. While nobody can escape the inevitable security incidents, it is my hope that we can all learn lessons from the Ponemon study and each other, and work more collectively so that next year will bring fewer unpleasant surprises and many more happy ones.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Dr. Eve Cunningham on virtual care at Providence
Remote Patient Monitoring
At Providence, RPM is improving patient health and reducing provider workload

Most Read

Change Healthcare cyberattack still impacting pharmacies, as H-ISAC issues alert
OCR settles its 2nd ransomware investigation, probably not the last
NIST updates Cybersecurity Framework with Version 2.0
HSCC publishes 5-year healthcare cybersecurity strategic plan
Healthcare is the big victim of Blackcat's cyber counteroffensive
A sense of urgency at the Healthcare Cybersecurity Forum

Research

White Papers

More Whitepapers

Compliance & Legal
Artificial Intelligence
Analytics

Webinars

More Webinars

Artificial Intelligence
Analytics
Analytics

More Stories

Person at a desk with a laptop crunches numbers on a calculator
Small medical practices will close because of Change cyberattack, says AMA
MaryAnn Connor at Memorial Sloan Kettering Cancer Center_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Care problems become technology systems via nurse informaticists
Person talking to a doctor on a tablet screen
Patient concerns in healthcare digitalisation: Rising inequalities
Mount Elizabeth Novena Hospital under Parkway Hospitals, part of the IHH Healthcare Group
IHH Healthcare migrates Malaysia, S'pore database...
Dr. Donald Warne at the Center for Indigenous Health at Johns Hopkins_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Indigenous communities need to be engaged with healthcare choices
HIMSSCast podcast
HIMSSCast: New analytics strategies for patient-centric pop health
Penn Medicine's Perelman Center for Advanced Medicine
Conversational AI improves 'fourth trimester' maternal care at Penn Medicine
Close-up of doctor lookin at data on a tablet
Doctors are getting on board with genAI, survey shows