Biggest 2014 Healthcare Data Security Threats Revealed
The biggest healthcare data security threats have been uncovered and published in a new report from the Ponemon Institute. The report highlights a number of perceived threats, and how healthcare providers and other HIPAA-covered entities lack faith in their company’s defenses.
Affordable Care Act has Increased the Risk of a Data Breach
The benefits of Obamacare are clear, but the Affordable Care Act security risk cannot be ignored. According to Ponemon data, 70% of healthcare professionals believe the introduction of the Affordable Care Act has increased the security risks faced by healthcare providers. Patient healthcare data is being put at risk of being disclosed, because while HIPAA-covered entities are making the move to Electronic Health Records (EHRs), many have not implemented the necessary security controls.
The survey revealed not one Affordable Care Act security risk, but many. The biggest area of concern was insecure exchanges between healthcare providers and the government; a channel of communication which, to any outsider, would be expected to be the most secure. 75% of respondents indicated that this was a major area of concern.
The data being stored – Protected Health Information (PHI) in particular – is of great value to cybercriminals and they are making a concerted effort to break through defenses to obtain that information. However, 65% of respondents had doubts about the security of their databases, which in many cases were not encrypted. A hacker breaking through could potentially access millions of records.
There is considerable potential for HIPAA violations and data breaches via insecure websites, some of which are being used as patient portals in which PHI is submitted. 63 percent of respondents indicated this was a major problem area.
The risks outweigh the benefits of becoming a member of a Health Information Exchange (HIE) for a third of respondents, while those that have become a member of an HIE believe that their security is insufficient, or a concern. 72 percent of respondents said they were not confident or only somewhat confident in the controls in place to secure data and protect the privacy of patients via their HIE.
Key Findings of the Ponemon Institute Study
The report indicates that while the number of data breaches reported has fallen slightly, a high volume of data breaches being still being reported and the risk of data exposure is only slightly lower than in past years. The cost of data breaches in the Unites States is estimated to have now risen to $5.6 billion annually.
It is no longer a case of whether a data breach will be suffered. It is now a case of when, or in many cases, when the next one will be suffered. 90% of respondents indicated they had suffered at least one data breach in the past two years, although the number of data breaches has fallen in the past 12 months. Only 38% of respondents indicated they had suffered a data breach in the past year.
The survey suggests that with the changes that need to be implemented to protect data under HIPAA, the Affordable Care Act and the move to EHRs, there is so much effort being put into HIPAA compliance that corners have to be cut. Until healthcare organizations get to grips with new legislative requirements, there is a real threat of becoming overwhelmed. Mentally and administratively.
The Biggest Healthcare Data Security Threats
Breaches can occur via a number of methods and plugging all of the security gaps can seem like an impossible task, especially with an extremely limited budget and lack of resources.
Employee negligence is perceived to be one of the biggest healthcare data security threats, with 75% of respondents saying that employee data breaches were their biggest security worry. The risk has risen considerably with the increase in healthcare BYOD schemes.
The number of organizations allowing personal devices to be used – via BYOD schemes – has risen to 88%, with these healthcare providers offering full or partial hospital network access and/or email access. Last year’s survey showed a lack of faith in security controls, with approximately half of healthcare providers “not confident” of their security controls. The situation has improved, but a year on, 38% of respondents said that they lacked confidence in their healthcare provider’s security controls, which in many cases, were non-existent.
Business Associates Perceived to be a Major Security Risk
Faith in healthcare providers’ defenses is low, but even lower when it comes to Business Associates (BAs). Under HIPAA, a BA is a company or individual that provides a service to a HIPAA-Covered Entity. When BAs require access to Protected Health Information (PHI) and Personally Identifiable Information (PII), they too need to make sure that the physical, administrative and technical safeguards are in place to protect the data.
Healthcare providers are not confident that their BAs have put the security controls in place. Only 30% said they were confident of their BAs security defenses. There is also a distinct lack of confidence in the ability of BAs to conduct full risk assessments, plug all security vulnerabilities and detect security breaches when they occur. There is also a lack of trust and fear that not all data breaches will be reported. 73% of respondents were either slightly confident or not confident in their BAs’ ability to keep data secure. The biggest risks were perceived to be benefit management BAs, claims processors and IT service providers.
The Omnibus Final Rule has been in effect for over a year and it is clear that healthcare providers believe their BAs are struggling to adapt to HIPAA Privacy and Security Rules. According to Rick Kam, president and co-founder of ID Experts, defending against cybersecurity attacks is a long and difficult process. “It’s like a bucket filled with water, with holes in it. The water keeps spurting out, and every time you patch one hole, a new hole forms. The process of patching old and new holes is overwhelming”. It is therefore no surprise that many BAs are struggling with HIPAA regulations and have not yet implemented all of the necessary policies, procedures and controls.