Risk
12/7/2011
02:07 PM
50%
50%

Patient Data Losses Jump 32%

Growing use of mobile devices in healthcare has intensified the security risk associated with managing patient data.

7 Patient Education Tools
7 Patient Education Tools
(click image for larger view and for slideshow)
The frequency of patient data losses at healthcare organizations has increased by 32% compared to last year, with nearly half (49%) of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones, according to recently published figures from the Ponemon Institute's second annual benchmark study on patient data security.

The latest report--2011 Benchmark Study on Patient Privacy and Data Security--estimates that data losses and security breaches cost the U.S. healthcare industry about $6.5 billion. And healthcare organizations face challenges in their ability to stem those losses.

Some 61% of organizations said they are not confident they know where their patient data is physically located, 55% said they have little or no confidence in their ability to detect all privacy incidents, and 46% reported that patient data breaches and data losses occurred among third-party business associates.

[ Mobile devices are not the only new security concern. Read Healthcare Cloud Brings Access Control Concerns. ]

Fighting patient data losses and security breaches will entail beefing up health IT personnel and procedures to combat these weaknesses. However, 54% of respondents said they have an inadequate budget for security and privacy, 45% said there is insufficient risk assessment, and another 43% identified a lack of trained staff and end users as a problem.

"Healthcare organizations tend to underspend relative to other industries on security. A lot of healthcare organizations figure that their mission in life is to treat people and get them well, it's really not about patient data security," Larry Ponemon, chairman and founder of the Ponemon Institute, told InformationWeek Healthcare.

Ponemon also said that while the healthcare industry is required to meet security and privacy regulations under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA), many organizations don't do enough to enforce privacy and security measures.

"They'll check the box to say we have a training program, but they really don't do enough of a deep sophisticated comprehensive security check that can affect the security posture of the healthcare organization," Ponemon added.

Further complicating matters has been the increasing use of mobile devices by doctors and other clinicians. The study found that 81% of healthcare organizations report that they use mobile devices to collect, store, and transmit some form of protected health information. However, 49% of participants admit their organizations do nothing to protect these devices.

"Mobile devices are the authentication mechanism by which a physician or a clinician gets into the health database. So if you are really sloppy on security and these devices get into the hands of a cyber criminal it could get them into the crown jewels of patient data," Ponemon said.

The report, which relied on feedback from 72 healthcare organizations, was sponsored by ID Experts, a company that provides software and services designed to protect businesses and individuals from fraud and identity theft.

According to Rick Kam, president and co-founder of ID Experts, there are several steps healthcare professionals and organizations can take to reduce the number of patient data breaches.

One key step is to improve the types of passwords being used. Many people use the same password--or a variation of it--for everything, from unlocking their smartphone to accessing their bank accounts to logging into Facebook. Best practices suggest that users should vary their passwords and use a combination of letters, numbers, and symbols. Also, changing them periodically can minimize potential damage.

Patients also need to better understand how their medical data is managed and what they should do if their information is compromised. Frequently, when data is compromised, hacked, or lost, those in charge of the data offer the victim credit monitoring. Kam said patients facing the potential threat of lost or stolen data should tell the healthcare provider they want medical identity monitoring services that will alert them to suspicious activity involving your medical claims.

When are emerging technologies ready for clinical use? In the new issue of InformationWeek Healthcare, find out how three promising innovations--personalized medicine, clinical analytics, and natural language processing--show the trade-offs. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AHoV7X
50%
50%
AHoV7X,
User Rank: Apprentice
12/8/2011 | 6:30:20 PM
re: Patient Data Losses Jump 32%
This is really an unfortunate stat, but itGÇÖs something that should decline as more hospitals put measures in place to assure the safety of patient information. As seen in the mHealth Summit 2011, mobile in the hospital canGÇÖt be stopped. It provides so many upsides, like access to patient data and flexibility.

However, itGÇÖs the hospitals responsibility to protect this data. By empowering the IT department, an IT administrator can assure all devices accessing EHRs in the system have the proper tools in place to protect the data. And if a device goes missing, with the right tools, an IT administrator can track the device or remotely wipe all the information on the device. With these safeguards in place, patientsGÇÖ data will be protected, and the growth of mobile in hospitals can continue.

Stephen Midgley, Absolute Software
http://blog.absolute.com/
Lisa Henderson
50%
50%
Lisa Henderson,
User Rank: Apprentice
12/8/2011 | 8:28:05 PM
re: Patient Data Losses Jump 32%
In the last paragraph, it is suggested that the patient ask for medical identity monitoring services if they have been compromised after the fact? I guess that's a good route to go, if the data security problem gets that far. It is difficult for patients to trust their data on the Internet and electronically already, this survey really is discouraging for those that want to push patients into the electronic realm.

Lisa Henderson, InformationWeek Healthcare, contributing editor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7830
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse cap...

CVE-2014-7831
Published: 2014-11-24
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

CVE-2014-7832
Published: 2014-11-24
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by vi...

CVE-2014-7833
Published: 2014-11-24
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

CVE-2014-7834
Published: 2014-11-24
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?