Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/7/2011
02:07 PM
50%
50%

Patient Data Losses Jump 32%

Growing use of mobile devices in healthcare has intensified the security risk associated with managing patient data.

7 Patient Education Tools
7 Patient Education Tools
(click image for larger view and for slideshow)
The frequency of patient data losses at healthcare organizations has increased by 32% compared to last year, with nearly half (49%) of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones, according to recently published figures from the Ponemon Institute's second annual benchmark study on patient data security.

The latest report--2011 Benchmark Study on Patient Privacy and Data Security--estimates that data losses and security breaches cost the U.S. healthcare industry about $6.5 billion. And healthcare organizations face challenges in their ability to stem those losses.

Some 61% of organizations said they are not confident they know where their patient data is physically located, 55% said they have little or no confidence in their ability to detect all privacy incidents, and 46% reported that patient data breaches and data losses occurred among third-party business associates.

[ Mobile devices are not the only new security concern. Read Healthcare Cloud Brings Access Control Concerns. ]

Fighting patient data losses and security breaches will entail beefing up health IT personnel and procedures to combat these weaknesses. However, 54% of respondents said they have an inadequate budget for security and privacy, 45% said there is insufficient risk assessment, and another 43% identified a lack of trained staff and end users as a problem.

"Healthcare organizations tend to underspend relative to other industries on security. A lot of healthcare organizations figure that their mission in life is to treat people and get them well, it's really not about patient data security," Larry Ponemon, chairman and founder of the Ponemon Institute, told InformationWeek Healthcare.

Ponemon also said that while the healthcare industry is required to meet security and privacy regulations under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA), many organizations don't do enough to enforce privacy and security measures.

"They'll check the box to say we have a training program, but they really don't do enough of a deep sophisticated comprehensive security check that can affect the security posture of the healthcare organization," Ponemon added.

Further complicating matters has been the increasing use of mobile devices by doctors and other clinicians. The study found that 81% of healthcare organizations report that they use mobile devices to collect, store, and transmit some form of protected health information. However, 49% of participants admit their organizations do nothing to protect these devices.

"Mobile devices are the authentication mechanism by which a physician or a clinician gets into the health database. So if you are really sloppy on security and these devices get into the hands of a cyber criminal it could get them into the crown jewels of patient data," Ponemon said.

The report, which relied on feedback from 72 healthcare organizations, was sponsored by ID Experts, a company that provides software and services designed to protect businesses and individuals from fraud and identity theft.

According to Rick Kam, president and co-founder of ID Experts, there are several steps healthcare professionals and organizations can take to reduce the number of patient data breaches.

One key step is to improve the types of passwords being used. Many people use the same password--or a variation of it--for everything, from unlocking their smartphone to accessing their bank accounts to logging into Facebook. Best practices suggest that users should vary their passwords and use a combination of letters, numbers, and symbols. Also, changing them periodically can minimize potential damage.

Patients also need to better understand how their medical data is managed and what they should do if their information is compromised. Frequently, when data is compromised, hacked, or lost, those in charge of the data offer the victim credit monitoring. Kam said patients facing the potential threat of lost or stolen data should tell the healthcare provider they want medical identity monitoring services that will alert them to suspicious activity involving your medical claims.

When are emerging technologies ready for clinical use? In the new issue of InformationWeek Healthcare, find out how three promising innovations--personalized medicine, clinical analytics, and natural language processing--show the trade-offs. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lisa Henderson
50%
50%
Lisa Henderson,
User Rank: Apprentice
12/8/2011 | 8:28:05 PM
re: Patient Data Losses Jump 32%
In the last paragraph, it is suggested that the patient ask for medical identity monitoring services if they have been compromised after the fact? I guess that's a good route to go, if the data security problem gets that far. It is difficult for patients to trust their data on the Internet and electronically already, this survey really is discouraging for those that want to push patients into the electronic realm.

Lisa Henderson, InformationWeek Healthcare, contributing editor
AHoV7X
50%
50%
AHoV7X,
User Rank: Apprentice
12/8/2011 | 6:30:20 PM
re: Patient Data Losses Jump 32%
This is really an unfortunate stat, but itGs something that should decline as more hospitals put measures in place to assure the safety of patient information. As seen in the mHealth Summit 2011, mobile in the hospital canGt be stopped. It provides so many upsides, like access to patient data and flexibility.

However, itGs the hospitals responsibility to protect this data. By empowering the IT department, an IT administrator can assure all devices accessing EHRs in the system have the proper tools in place to protect the data. And if a device goes missing, with the right tools, an IT administrator can track the device or remotely wipe all the information on the device. With these safeguards in place, patientsG data will be protected, and the growth of mobile in hospitals can continue.

Stephen Midgley, Absolute Software
http://blog.absolute.com/
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1575
PUBLISHED: 2019-07-16
Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and p...
CVE-2019-1576
PUBLISHED: 2019-07-16
Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user?s permissions.
CVE-2018-19629
PUBLISHED: 2019-07-16
A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.
CVE-2019-10100
PUBLISHED: 2019-07-16
Quake3e < 5ed740d is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Argument string creation.
CVE-2019-10100
PUBLISHED: 2019-07-16
UPX 3.95 is affected by: Integer Overflow. The impact is: attacker can cause a denial of service. The component is: src/p_lx_elf.cpp PackLinuxElf32::PackLinuxElf32help1() Line 262. The attack vector is: the victim must open a specially crafted ELF file.