Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/7/2011
02:07 PM
50%
50%

Patient Data Losses Jump 32%

Growing use of mobile devices in healthcare has intensified the security risk associated with managing patient data.

7 Patient Education Tools
7 Patient Education Tools
(click image for larger view and for slideshow)
The frequency of patient data losses at healthcare organizations has increased by 32% compared to last year, with nearly half (49%) of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones, according to recently published figures from the Ponemon Institute's second annual benchmark study on patient data security.

The latest report--2011 Benchmark Study on Patient Privacy and Data Security--estimates that data losses and security breaches cost the U.S. healthcare industry about $6.5 billion. And healthcare organizations face challenges in their ability to stem those losses.

Some 61% of organizations said they are not confident they know where their patient data is physically located, 55% said they have little or no confidence in their ability to detect all privacy incidents, and 46% reported that patient data breaches and data losses occurred among third-party business associates.

[ Mobile devices are not the only new security concern. Read Healthcare Cloud Brings Access Control Concerns. ]

Fighting patient data losses and security breaches will entail beefing up health IT personnel and procedures to combat these weaknesses. However, 54% of respondents said they have an inadequate budget for security and privacy, 45% said there is insufficient risk assessment, and another 43% identified a lack of trained staff and end users as a problem.

"Healthcare organizations tend to underspend relative to other industries on security. A lot of healthcare organizations figure that their mission in life is to treat people and get them well, it's really not about patient data security," Larry Ponemon, chairman and founder of the Ponemon Institute, told InformationWeek Healthcare.

Ponemon also said that while the healthcare industry is required to meet security and privacy regulations under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA), many organizations don't do enough to enforce privacy and security measures.

"They'll check the box to say we have a training program, but they really don't do enough of a deep sophisticated comprehensive security check that can affect the security posture of the healthcare organization," Ponemon added.

Further complicating matters has been the increasing use of mobile devices by doctors and other clinicians. The study found that 81% of healthcare organizations report that they use mobile devices to collect, store, and transmit some form of protected health information. However, 49% of participants admit their organizations do nothing to protect these devices.

"Mobile devices are the authentication mechanism by which a physician or a clinician gets into the health database. So if you are really sloppy on security and these devices get into the hands of a cyber criminal it could get them into the crown jewels of patient data," Ponemon said.

The report, which relied on feedback from 72 healthcare organizations, was sponsored by ID Experts, a company that provides software and services designed to protect businesses and individuals from fraud and identity theft.

According to Rick Kam, president and co-founder of ID Experts, there are several steps healthcare professionals and organizations can take to reduce the number of patient data breaches.

One key step is to improve the types of passwords being used. Many people use the same password--or a variation of it--for everything, from unlocking their smartphone to accessing their bank accounts to logging into Facebook. Best practices suggest that users should vary their passwords and use a combination of letters, numbers, and symbols. Also, changing them periodically can minimize potential damage.

Patients also need to better understand how their medical data is managed and what they should do if their information is compromised. Frequently, when data is compromised, hacked, or lost, those in charge of the data offer the victim credit monitoring. Kam said patients facing the potential threat of lost or stolen data should tell the healthcare provider they want medical identity monitoring services that will alert them to suspicious activity involving your medical claims.

When are emerging technologies ready for clinical use? In the new issue of InformationWeek Healthcare, find out how three promising innovations--personalized medicine, clinical analytics, and natural language processing--show the trade-offs. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lisa Henderson
50%
50%
Lisa Henderson,
User Rank: Apprentice
12/8/2011 | 8:28:05 PM
re: Patient Data Losses Jump 32%
In the last paragraph, it is suggested that the patient ask for medical identity monitoring services if they have been compromised after the fact? I guess that's a good route to go, if the data security problem gets that far. It is difficult for patients to trust their data on the Internet and electronically already, this survey really is discouraging for those that want to push patients into the electronic realm.

Lisa Henderson, InformationWeek Healthcare, contributing editor
AHoV7X
50%
50%
AHoV7X,
User Rank: Apprentice
12/8/2011 | 6:30:20 PM
re: Patient Data Losses Jump 32%
This is really an unfortunate stat, but itGs something that should decline as more hospitals put measures in place to assure the safety of patient information. As seen in the mHealth Summit 2011, mobile in the hospital canGt be stopped. It provides so many upsides, like access to patient data and flexibility.

However, itGs the hospitals responsibility to protect this data. By empowering the IT department, an IT administrator can assure all devices accessing EHRs in the system have the proper tools in place to protect the data. And if a device goes missing, with the right tools, an IT administrator can track the device or remotely wipe all the information on the device. With these safeguards in place, patientsG data will be protected, and the growth of mobile in hospitals can continue.

Stephen Midgley, Absolute Software
http://blog.absolute.com/
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.