Ponemon Institute and ID Experts have just released their third annual benchmark study on privacy and security, and the results for Healthcare do not look good. Threats to Healthcare organizations have increased, as have the costs of dealing with them. The report projects that the annual cost of data breaches for the industry as a whole “could potentially be as high as $7 billion.”
Yet the majority of organizations do not have the people, processes or technology in place to address these threats. Almost every hospital surveyed (94%!!) suffered at least one data breach, and nearly half suffered more than 5 over the past two years. More than half had also suffered medical identity theft. The primary cause of breaches continues to be employee or partner negligence.
No wonder 54% of healthcare respondents say they lack confidence in their ability to detect patient data losses. And only one-third believe they have the controls in place to prevent patient ID theft. Among the biggest challenges to threat mitigation are lax BYOD policies, file-sharing applications and a growing reliance on cloud computing.
To turn this tide, Healthcare organizations need to address their IT security and threat landscapes holistically, in order to move toward the proactive mitigation of threats on a day-in-day-out basis. This includes having an incident response plan that includes third-party partners.
The Health Information Trust Alliance (HITRUST) also released a significant benchmark study this week, shedding an equally grim light on the state of Healthcare cybersecurity. According to HITRUST research, US Healthcare organizations suffered about 500 data breaches since 2009, which compromised about 21 million personal records and racked up about $4 billion in damages. These stats, which don’t even consider breaches impacting fewer than 500 individuals, show no improvement in breach prevention from prior years. Equally disconcerting is the time it takes Healthcare organizations to recognize a breach (84 days on average) and notify those potentially impacted (68 days).
Of particular interest is the fact that over 60% of data breaches occurred at small-to-midsized Healthcare practices with 1 to 100 employees. These organizations are increasingly targeted by cybercriminals and need to start with cost-effective information security assessments to reduce the business risk of a data breach.
This week’s litany of healthcare data breaches features more patient data compromised due to stolen or missing devices. Leading the parade is Alere Home Monitoring. The Massachusetts-based provider of in-home testing products and services is notifying about 116,000 patients of a breach that took place when an employee’s unencrypted laptop was stolen from a vehicle. Alere says it will encrypt laptops and enhance staff education on cybersecurity going forward.
The University of Virginia Medical Center is likewise notifying about 2,000 patients after losing an unencrypted Palm device used by on-call pharmacists. The missing data includes patient contact data and Social Security numbers.
Christus St. John Hospital in Houston is notifying an undisclosed number of patients from its sports medicine program following the loss of an unencrypted USB device. Among the data lost are Social Security numbers, birth dates and health insurance information.
Another potential breach was reported by Western Connecticut State University following identification of a “storage system vulnerability” that could have exposed the personal information of over 235,000 students and others. Files were “stored in a manner that may have allowed unauthorized users to access the files in question from April 2009 to September 2012,” according to the school.
Healthcare IT Security
Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant. See how we can help.