Risk
12/7/2011
02:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Patient Data Losses Jump 32%

Growing use of mobile devices in healthcare has intensified the security risk associated with managing patient data.

7 Patient Education Tools
7 Patient Education Tools
(click image for larger view and for slideshow)
The frequency of patient data losses at healthcare organizations has increased by 32% compared to last year, with nearly half (49%) of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones, according to recently published figures from the Ponemon Institute's second annual benchmark study on patient data security.

The latest report--2011 Benchmark Study on Patient Privacy and Data Security--estimates that data losses and security breaches cost the U.S. healthcare industry about $6.5 billion. And healthcare organizations face challenges in their ability to stem those losses.

Some 61% of organizations said they are not confident they know where their patient data is physically located, 55% said they have little or no confidence in their ability to detect all privacy incidents, and 46% reported that patient data breaches and data losses occurred among third-party business associates.

[ Mobile devices are not the only new security concern. Read Healthcare Cloud Brings Access Control Concerns. ]

Fighting patient data losses and security breaches will entail beefing up health IT personnel and procedures to combat these weaknesses. However, 54% of respondents said they have an inadequate budget for security and privacy, 45% said there is insufficient risk assessment, and another 43% identified a lack of trained staff and end users as a problem.

"Healthcare organizations tend to underspend relative to other industries on security. A lot of healthcare organizations figure that their mission in life is to treat people and get them well, it's really not about patient data security," Larry Ponemon, chairman and founder of the Ponemon Institute, told InformationWeek Healthcare.

Ponemon also said that while the healthcare industry is required to meet security and privacy regulations under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA), many organizations don't do enough to enforce privacy and security measures.

"They'll check the box to say we have a training program, but they really don't do enough of a deep sophisticated comprehensive security check that can affect the security posture of the healthcare organization," Ponemon added.

Further complicating matters has been the increasing use of mobile devices by doctors and other clinicians. The study found that 81% of healthcare organizations report that they use mobile devices to collect, store, and transmit some form of protected health information. However, 49% of participants admit their organizations do nothing to protect these devices.

"Mobile devices are the authentication mechanism by which a physician or a clinician gets into the health database. So if you are really sloppy on security and these devices get into the hands of a cyber criminal it could get them into the crown jewels of patient data," Ponemon said.

The report, which relied on feedback from 72 healthcare organizations, was sponsored by ID Experts, a company that provides software and services designed to protect businesses and individuals from fraud and identity theft.

According to Rick Kam, president and co-founder of ID Experts, there are several steps healthcare professionals and organizations can take to reduce the number of patient data breaches.

One key step is to improve the types of passwords being used. Many people use the same password--or a variation of it--for everything, from unlocking their smartphone to accessing their bank accounts to logging into Facebook. Best practices suggest that users should vary their passwords and use a combination of letters, numbers, and symbols. Also, changing them periodically can minimize potential damage.

Patients also need to better understand how their medical data is managed and what they should do if their information is compromised. Frequently, when data is compromised, hacked, or lost, those in charge of the data offer the victim credit monitoring. Kam said patients facing the potential threat of lost or stolen data should tell the healthcare provider they want medical identity monitoring services that will alert them to suspicious activity involving your medical claims.

When are emerging technologies ready for clinical use? In the new issue of InformationWeek Healthcare, find out how three promising innovations--personalized medicine, clinical analytics, and natural language processing--show the trade-offs. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
AHoV7X
50%
50%
AHoV7X,
User Rank: Apprentice
12/8/2011 | 6:30:20 PM
re: Patient Data Losses Jump 32%
This is really an unfortunate stat, but itGÇÖs something that should decline as more hospitals put measures in place to assure the safety of patient information. As seen in the mHealth Summit 2011, mobile in the hospital canGÇÖt be stopped. It provides so many upsides, like access to patient data and flexibility.

However, itGÇÖs the hospitals responsibility to protect this data. By empowering the IT department, an IT administrator can assure all devices accessing EHRs in the system have the proper tools in place to protect the data. And if a device goes missing, with the right tools, an IT administrator can track the device or remotely wipe all the information on the device. With these safeguards in place, patientsGÇÖ data will be protected, and the growth of mobile in hospitals can continue.

Stephen Midgley, Absolute Software
http://blog.absolute.com/
Lisa Henderson
50%
50%
Lisa Henderson,
User Rank: Apprentice
12/8/2011 | 8:28:05 PM
re: Patient Data Losses Jump 32%
In the last paragraph, it is suggested that the patient ask for medical identity monitoring services if they have been compromised after the fact? I guess that's a good route to go, if the data security problem gets that far. It is difficult for patients to trust their data on the Internet and electronically already, this survey really is discouraging for those that want to push patients into the electronic realm.

Lisa Henderson, InformationWeek Healthcare, contributing editor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.