02:07 PM

Patient Data Losses Jump 32%

Growing use of mobile devices in healthcare has intensified the security risk associated with managing patient data.

7 Patient Education Tools
7 Patient Education Tools
(click image for larger view and for slideshow)
The frequency of patient data losses at healthcare organizations has increased by 32% compared to last year, with nearly half (49%) of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones, according to recently published figures from the Ponemon Institute's second annual benchmark study on patient data security.

The latest report--2011 Benchmark Study on Patient Privacy and Data Security--estimates that data losses and security breaches cost the U.S. healthcare industry about $6.5 billion. And healthcare organizations face challenges in their ability to stem those losses.

Some 61% of organizations said they are not confident they know where their patient data is physically located, 55% said they have little or no confidence in their ability to detect all privacy incidents, and 46% reported that patient data breaches and data losses occurred among third-party business associates.

[ Mobile devices are not the only new security concern. Read Healthcare Cloud Brings Access Control Concerns. ]

Fighting patient data losses and security breaches will entail beefing up health IT personnel and procedures to combat these weaknesses. However, 54% of respondents said they have an inadequate budget for security and privacy, 45% said there is insufficient risk assessment, and another 43% identified a lack of trained staff and end users as a problem.

"Healthcare organizations tend to underspend relative to other industries on security. A lot of healthcare organizations figure that their mission in life is to treat people and get them well, it's really not about patient data security," Larry Ponemon, chairman and founder of the Ponemon Institute, told InformationWeek Healthcare.

Ponemon also said that while the healthcare industry is required to meet security and privacy regulations under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA), many organizations don't do enough to enforce privacy and security measures.

"They'll check the box to say we have a training program, but they really don't do enough of a deep sophisticated comprehensive security check that can affect the security posture of the healthcare organization," Ponemon added.

Further complicating matters has been the increasing use of mobile devices by doctors and other clinicians. The study found that 81% of healthcare organizations report that they use mobile devices to collect, store, and transmit some form of protected health information. However, 49% of participants admit their organizations do nothing to protect these devices.

"Mobile devices are the authentication mechanism by which a physician or a clinician gets into the health database. So if you are really sloppy on security and these devices get into the hands of a cyber criminal it could get them into the crown jewels of patient data," Ponemon said.

The report, which relied on feedback from 72 healthcare organizations, was sponsored by ID Experts, a company that provides software and services designed to protect businesses and individuals from fraud and identity theft.

According to Rick Kam, president and co-founder of ID Experts, there are several steps healthcare professionals and organizations can take to reduce the number of patient data breaches.

One key step is to improve the types of passwords being used. Many people use the same password--or a variation of it--for everything, from unlocking their smartphone to accessing their bank accounts to logging into Facebook. Best practices suggest that users should vary their passwords and use a combination of letters, numbers, and symbols. Also, changing them periodically can minimize potential damage.

Patients also need to better understand how their medical data is managed and what they should do if their information is compromised. Frequently, when data is compromised, hacked, or lost, those in charge of the data offer the victim credit monitoring. Kam said patients facing the potential threat of lost or stolen data should tell the healthcare provider they want medical identity monitoring services that will alert them to suspicious activity involving your medical claims.

When are emerging technologies ready for clinical use? In the new issue of InformationWeek Healthcare, find out how three promising innovations--personalized medicine, clinical analytics, and natural language processing--show the trade-offs. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
12/8/2011 | 6:30:20 PM
re: Patient Data Losses Jump 32%
This is really an unfortunate stat, but itGÇÖs something that should decline as more hospitals put measures in place to assure the safety of patient information. As seen in the mHealth Summit 2011, mobile in the hospital canGÇÖt be stopped. It provides so many upsides, like access to patient data and flexibility.

However, itGÇÖs the hospitals responsibility to protect this data. By empowering the IT department, an IT administrator can assure all devices accessing EHRs in the system have the proper tools in place to protect the data. And if a device goes missing, with the right tools, an IT administrator can track the device or remotely wipe all the information on the device. With these safeguards in place, patientsGÇÖ data will be protected, and the growth of mobile in hospitals can continue.

Stephen Midgley, Absolute Software
Lisa Henderson
Lisa Henderson,
User Rank: Apprentice
12/8/2011 | 8:28:05 PM
re: Patient Data Losses Jump 32%
In the last paragraph, it is suggested that the patient ask for medical identity monitoring services if they have been compromised after the fact? I guess that's a good route to go, if the data security problem gets that far. It is difficult for patients to trust their data on the Internet and electronically already, this survey really is discouraging for those that want to push patients into the electronic realm.

Lisa Henderson, InformationWeek Healthcare, contributing editor
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio