Data attacks on healthcare flying high
In the realm of privacy and security, heeding snooping employees and encrypting portable devices isn't enough in healthcare these days. Criminal attacks on hospitals are on a huge upward trend, with a whopping 100 percent reported increase just from four years ago. That’s according to a new Ponemon Institute study released today.
This year, 40 percent of healthcare organizations have reported a criminal data attack. And, business associates who are not yet compliant with HIPAA in addition to those employees given the green light to use their unsecured devices certainly are not helping these numbers, say Ponemon officials.
[See also: HIPAA data breaches climb 138 percent]
The news isn't all bad, however. Data breaches have actually slightly declined in recent years, but it's still no number meriting celebration, as breaches continue to cost the industry a pretty penny, $5.6 billion annually to be exact.
"It suggests healthcare organizations are making modest progress on managing sensitive patient information," said Larry Ponemon, chairman and founder, Ponemon Institute, in an interview with Healthcare IT News. "I want to underscore the word 'modest.'"
Breaking it down by organization, healthcare groups who experience a data breach can expect to pay out some $2 million over a two-year period. Moreover, an overwhelming 90 percent of survey respondents reported at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period, officials pointed out.
"Employee negligence, such as a lost laptop, continues to be at the root of most data breaches in this study. However, the latest trend we are seeing is the uptick in criminal attacks on hospitals," said Ponemon, in a March 12 press statement. “The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality."
[See also: HIPAA breaches in top 5 security worries.]
Additional findings include some 75 percent of healthcare organizations cited employee negligence as the top security concern, as they increase exposure to sensitive data by the growing use of their personal unsecured devices. Bring your own device policies, officials say, also present new risks, as personal devices have become harder to manage, control and secure.
In fact, 88 percent of organizations permit employees and medical staff to use their own mobile devices to connect to their organization's networks or enterprise systems such as email, with access to patient information. Similar to last year's study, more than 50 percent of industry groups are not confident the personally owned mobile devices are secure. Yet, 38 percent of organizations fail to take steps ensuring these devices are secure.
[See also: Breach has group using encryption.]
Report findings also underscore healthcare groups' growing distrust in their business associates relating to protecting patients' health information. Some 73 percent of organizations are not confident or only slightly confident that their third parties are able to detect a security incident, perform an incident risk assessment and notify them in the event of a data breach. According to those surveyed, the business associates who present the greatest risks to patient information are IT service providers, claims processors and benefits management.
DOING IT RIGHT
Despite the threats data breaches pose, some organizations have worked diligently to better protect patient information, as report findings suggest, data breach numbers are actually slightly down this year.