Survey: Majority of organizations don't protect patient data during software development

By Molly Merrill
02:38 PM

Serious risks to patient data exist in the development and testing of healthcare software, according to survey findings published Tuesday in a new report by the Ponemon Institute. The report calls for data masking – transforming the data so it is not available outside of its authorized environment – in order to mitigate this risk.

The survey, which was sponsored by Informatica Corporation, a data integration software provider, polled more than 450 IT professionals in U.S. healthcare organizations. The findings were published in Ponemon Institute's new report, Health Data at Risk in Development: A Call for Data Masking.

Examining the widespread use of real patient data in healthcare application development and test environments, the report details how this is exposing healthcare organizations to the risk of non-compliance to various regulations such as the Health Insurance Portability and Accountability Act (HIPAA).

[See also: Survey: One-third of health organizations not ready for HIPAA 5010.]

Some key findings of the survey are:

  • Fifty-one percent of those surveyed do not protect patient data used in software development and testing.
  • Seventy-eight percent are not confident or else are undecided as to whether their organization could even detect the theft or accidental loss of real data in development or testing.
  • Thirty-eight percent have had a breach involving data in a development and test environment and 12 percent are unsure if they have had a breach or not.
  • Fifty-nine percent of those experiencing breaches consequently experienced disruption of operations, 56 percent faced regulatory action and 36 percent suffered reputation loss.

The report should be "a wake-up call for the healthcare industry, where the average per-victim cost of a data loss is $294 – a whopping 44 percent higher than the norm across all industries," said Larry Ponemon, chairman and founder of the Ponemon Institute. "Healthcare organizations have achieved great success in safeguarding their data in production environments. Now it is time to act just as resolutely and systematically to protect patient confidentiality and privacy in non-production environments."

Outsourcing development and test activities and/or using cloud computing resources introduce additional risk factors, which often prevent healthcare organizations from turning to these potentially advantageous resources. The survey found that 40 percent do not outsource due to security concerns, while a mere 19 percent are confident or very confident about security in a cloud environment.

The survey found that protection of real data in the development and testing environment is important to respondents, but the majority of them do not know or believe they are successful in achieving this goal. Seventy-four percent say meeting privacy and data protection requirements in the healthcare services industry is important, but only 35 percent say they believe their company is successful in achieving this goal.

Ponemon Institute recommends the following actions to protect patient data:

  • Centralized executive oversight – Create a single point of executive-level responsibility coupled with policies and procedures for safeguarding your organization's real data in non-production environments.
  • Data masking – Invest in key technologies including tools to "transform or mask sensitive or confidential data without diminishing the richness of the data necessary for successful testing and development."

[See also: HHS proposes tougher health data protection.]

"Development and test environments have emerged as the new data security battlegrounds, and data masking is proving to be a critical component of any enterprise risk and compliance program," said Adam Wilson, general manager, Application Information Lifecycle Management, Informatica.

Data masking helps safeguard sensitive, private or confidential data such as protected health information (PHI) or personal health records (PHR) by masking it in-flight or in-place. As a result, fully functional, realistic data sets can be used safely in development, testing, training and other non-production environments. Regardless of whether the work is managed in house, offshored or outsourced, companies can be more confident they are not violating the Health Information Technology for Economic and Clinical Health Act (HITECH Act) or other regulations.