Reports: Costly Data Breaches PersistBetter Prevention Should Top 2013 To-Do Lists
Two new reports provide more evidence that healthcare information security leaders need to make a New Year's resolution to step up their data breach prevention efforts.
A survey of 80 healthcare organizations, conducted by the research firm Ponemon Institute and sponsored by ID Experts, found that 94 percent have had at least one data breach in the past two years and 45 percent have had more than five incidents. By comparison, in a 2010 study, only 29 percent reported that their organization had more than five breaches in the past two years.
Smaller practices pose a new and significant breach risk to larger entities with whom they share information.
"This suggests the importance of determining the cause of the breach and what steps need to be taken to address areas potentially vulnerable to future incidents," Ponemon's report on the study stresses.
There are millions of reasons why healthcare entities need to improve their breach prevention. For organizations dealing with breaches, the average economic impact was $2.4 million over a two-year period, Ponemon estimates in its latest survey. That's up from $2.2 million in 2011 and $2.1 million in 2010.
Although the report does not break down those costs, data breach expenses can range from specific costs, such as conducting a forensics investigation and notifying victims and providing them with credit protection, to intangibles, like damage to the organization's reputation, which can lead to lost business. And in some cases, federal investigations of breaches have led to hefty HIPAA non-compliance penalties.
The Ponemon survey shows the primary cause of breaches is lost or stolen computing devices. That is followed by employee mistakes or unintentional actions and third-party snafus.
These findings are in synch with statistics from the Department of Health and Human Services' Office for Civil Rights, which has been tracking health data breaches on its wall of shame since the HIPAA breach notification rule went into effect in September 2009. The tally shows more than half of major breaches involved lost or stolen unencrypted computing devices or storage media (see: Health Breach Tally Tops 500 Milestone).
Another new report by the Health Information Trust Alliance, a consortium of healthcare, IT and security leaders, analyzed HHS data on major breaches and finds that smaller physician practices with 100 or fewer employees account for more than 60 percent of the incidents.
These vulnerable smaller practices, which often lack the resources and technology know-how to adequately address security issues, pose "a new and significant risk to larger entities with whom they share information," according to the HITRUST report.
"The adoption of electronic health record technology among hospitals, for example, has led to 'community health records' where physicians utilize a local hospital's EHR system instead of purchasing their own," HITRUST notes in its report. "This now exposes the hospital to the same risks as the connecting practices, which often lack anti-malware [software], have insecure or no firewalls, and share passwords. These issues, in turn, may lead to more breaches implicating both parties."
HITRUST's report adds another sobering point: The organization's data assessment suggests that many breaches, especially hacking incidents and malware infections, may go unreported or undiscovered.
"While collectively hacking and malware breaches only comprise 8 percent of the total breaches and 11 percent of the records breached, we have identified numerous instances of healthcare data on underground message boards that cannot be tied back to reported breaches," the report notes.
The bottom line in both of the new reports is that healthcare organizations need to get better at preventing and detecting breaches.
That of course, includes getting a better handle on encrypting mobile devices, which should be on the top of any breach prevention to-do list. But in fairness to those who are making an effort to encrypt data on laptops, tablets and other mobile hardware, keeping track of all devices that could contain patient data is getting tougher, especially as more employees use personal devices for work-related purposes.
Other key prevention steps include implementing mobile device management software to administer security controls, improving employee training, using an intrusion detection system and enforcing a detailed BYOD policy.
With more patient data being digitized and shared, and the use of personal mobile devices by employees on the rise, healthcare organizations need to put breach prevention at the top of their 2013 to-do lists.
(Note that in the coming weeks, we'll be offering updates on the results of our second annual Healthcare Information Security Today survey, including insights on the steps healthcare organizations plan to take in 2013 to prevent breaches.)