As the year draws to a close, it is a time to reflect on the lessons learned during 2012 regarding HIPAA compliance and dealing with healthcare data breaches. This year the pilot round of HIPAA-compliance audits was completed, indicating the sorry state of healthcare data security. There is clearly a lot to be done in 2013 to bring data security up to the minimum standards laid down by the Health Insurance Portability and Accountability Act.
2012 Ponemon Institute Data Security Study Suggests Widespread Non-Compliance
The Ponemon Institute Third Benchmark Study on Patient Privacy and Data Security – sponsored by ID Experts of Portland, Oregon – suggests healthcare data breaches are now “a large and costly threat.” It is also clear that healthcare providers are struggling to implement the appropriate defenses to keep patient data secure.
For the new data security study for 2012, respondents were asked about data privacy and security issues related to HIPAA compliance and were asked to rate their organizations’ efforts to become compliant.
This year 80 organizations took part in the survey, including small standalone clinics, which compromised 19% of the sample. 36% of respondents worked for hospitals that are part of an integrated health delivery system, while 46% were healthcare providers that are part of a healthcare network.
Data Breaches have been Suffered by Virtually All Healthcare Providers
The results of the survey show that data loss, theft and exposure are pervasive. Virtually all participants – 96% – had suffered at least one data breach in the past 24 months, while an alarming 45% of respondents claimed their organizations had suffered more than 5 data breaches over the course of the past two years. These data breaches are costing the healthcare industry an estimated $7 billion a year.
Organizations are not only struggling to prevent data breaches; when they do occur, many healthcare providers lack the technology to identify them.
Larry Ponemon, Founder and Chairman of the Ponemon Institute, said “people are somewhat fatalistic, with the perception that they can’t get their arms around the problem completely. I’m not saying they are giving up, but they are not confident they can deal with these threats.”
Since 2010, when the Ponemon institute started sending out its annual survey, the volume of data breaches being reported has increased significantly. The cost of the data breaches is considerable. When an organization suffers a data breach, it costs an average of $2.4 million to resolve. The survey asked respondents about the cost of data breaches, with the minimum cost of resolution calculated to be around $10,000, while many reported the cost to be in excess of $1 million over 24 months. The average cost of a data breach has risen by $400,000 since 2010, a rise of approximately 15%.
While small data breaches continue to affect healthcare providers, larger breaches are now much more common, and require more money to resolve. According to the study, data breaches costing more than $500,000 to resolve have increased by 48% since the study began.
Main Causes of Healthcare Data Breaches in 2012
The threat from hackers is rising, but the majority of data breaches are not caused by external parties, but insiders, with the loss or theft of portable devices – such as laptops, tablets, storage drives and Smartphones – the most common cause of data exposure. 46% of all data breaches involved the loss or theft of devices, with staff errors responsible for 42% of breaches. Third party errors were also very common.
Cyberattacks conducted by criminals have also risen. The survey data suggests 33% of data breaches have been caused by criminals seeking access to patient data, a 13% increase since 2010.
What Data is Being Stolen?
Healthcare data is of great value to criminals. Social Security numbers can be used to commit identity theft and file false tax returns, while healthcare data and insurance information can be used to make false medical claims. Protected Health Information (PHI) is being targeted, with 70% or respondents believing the risk of PHI exposure has increased.
One of the main problems mentioned by respondents was the increase in the number of devices that are now being used to connect to healthcare networks. The rise in popularity of Bring Your Own Device (BYOD) schemes is a particular challenge. According to the responses, 81% of healthcare providers allow the use of personal devices at work, which are permitted to varying degrees, to access computer networks. More than half of employees have signed up to a BYOD scheme, but alarmingly, 46% of respondents claimed that their organizations did not take any action to secure the devices.
According to Larry Ponemon, “54 percent of respondents are not confident that the personally-owned mobile devices are secure. This year, 18 percent of respondents said a breach occurred due to lost or stolen mobile devices, more than double last year’s number”
Another security issue raised is that of drug pumps and other medical devices which are connected to healthcare networks. These devices store patient data and need to be secured, yet 69% of respondents said their FDA-approved devices are not secured.
The cloud can also introduce security risks, but this has not deterred healthcare providers from taking advantage of the convenience of cloud computing. 62% of respondents said their organization used the cloud moderately or heavily, 47% said they do not believe the cloud to be secure, while 7% of organizations avoid cloud services altogether.
It’s not all bad news, confidence in data security systems has improved, with 40% of respondents saying they had confidence in their organizations’ ability to prevent data breaches. The figure stood at 31% last year. Furthermore, the efforts of the Department of Health and Human Services’ Office for Civil Rights is certainly having an effect. 36% of respondents said that the audits have had an impact on privacy and data security policies
That said, budgetary constraints are limiting the efforts made to achieve HIPAA compliance and many healthcare providers are only implementing the appropriate security measures after a breach has been suffered. A more proactive approach to data security and privacy must be developed if data breaches are to be avoided.
The final healthcare data breach report for 2012 will not be available until March 2013, as HIPAA-covered entities are allowed up to 60 days to report data breaches, and judging by the large number reported throughout the year, there are likely to be more entries added to the HHS “Wall of Shame” before the year is out.