Hospitals far from immune to patient-data theft

Health care industry falls short in securing data for patients as BYOD and cloud adoption rise, security funding tumbles

Health care professionals may preach the benefits of prevention to ward off sickness, but their employers don't appear to apply that advice to stopping patient-data theft: 94 percent of health care organizations in the United States have suffered a data breach over the past two years, and 45 percent have fallen victim to more than five, according to a recent study out of Ponemon Institute.

Not surprisingly, end-user ignorance and carelessness were the No. 1 cause of these breaches, which cost the health care industry as much as $7 billion per year. Trends such as BYOD (bring your own device) and cloud adoption have also contributed to the rise in data-breach vulnerability -- not to mention a lack of funding for technology and skilled security personnel.

Ponemon's "Third Annual Benchmark Study on Patient Privacy and Data Security" [PDF] points to an increase in data breaches against hospitals and clinics throughout the country. In 2010, only 29 percent of respondents said their organization had suffered more than five attacks, for example. Data thieves were primarily after victims' medical files and billing and insurance records, according to the study. When this data falls into a bad guy's hands, it increases the victim's risk of suffering financial or medical identity theft.

In general, the primary cause of breaches was a lost or stolen computing device (46 percent), followed by employee mistakes or unintentional actions (42 percent), and third-party snafus (42 percent). IT professionals have had to deal with a surge in criminal attacks, too; they've seen an increase from 20 percent in 2010 to 33 percent this year, according to the study.

Just over half of the organizations reported one of more incidents of medical identity theft in 2012, and 32 percent said they weren't even sure where the leak occurred. That could be in part because one-third of respondents admitted they don't have sufficient controls in place to detect medical identity theft.

In fact, just 40 percent of respondents expressed confidence in their ability to prevent and detect a data breach, though that figure is up from 31 percent in 2010. What has improved, according to the study, is that organizations are relying less on an "ad hoc" process and more on policies and procedures and a combination of manual procedures and security technologies.

The prevalence of BYOD hasn't helped keep sensitive health care data safe. Eighty-one percent of U.S. health care organizations permit employees and medical staff to connect to enterprise systems with their personal devices; on average, 51 percent of employees bring their own devices to the health care facility.

Another potential threat, according to Ponemon: 69 percent of hospitals and clinics don't secure their medical devices, such as wireless heart pumps and mammogram imaging machines, which often use commercial PCS and wireless connections. The implication here, according to Ponemon, is that health care providers believe IT vendors are responsible for protecting this equipment.

Finally, the study found that 62 percent of health care organizations use cloud services moderately or heavily -- and 70 percent of respondents expressed concerns that their data residing in the cloud was secure.

The biggest barriers IT departments face in the health care world in defending against data breaches include a shortage of technology, funding, and expertise, according to the study. Fifty-two percent of respondents concurred that their organizations had sufficient policies and procedures to prevent or quickly detect unauthorized patient data access, loss, or theft, up from 41 percent in 2010. However, just 27 percent said they had enough resources and 34 percent felt they had an adequate sufficient security budget. Only 40 percent said they had the right technologies, and 45 percent claimed they had the right personnel.

To their credit, organizations have made an effort by complying with HIPAA privacy and security awareness training for all staff. Around half said they vet and monitor third parties, including business associates; 48 percent perform annual security risk assessments.

This article, "Hospitals far from immune to patient-data theft," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform