The Ponemon Institute and ID Experts released the Fourth Annual Benchmark Study on Patient Privacy and Data Security earlier this month. Health care-related security issues seem to be less discussed these days, as other industries and organizations have grabbed the security headlines. But just because we aren’t hearing about breaches within hospital and insurance networks doesn’t mean they aren’t happening.
I think the release of this study is good timing, with the deadlines for the Affordable Care Act (ACA) quickly approaching. With more people entering the health care (and insurance) system, there will be a correlated rise in the amount of personally identifiable information (PII) available. The Ponemon and ID Experts study gives us a good idea where the security risks within the health care industry are.
The good news from the study is that the number of data breaches has decreased slightly over the past two years. Also, the health care industry is doing a better job at controlling the costs involved in a data breach.
However, the report also revealed some very serious security flaws within the health care industry. For instance, the report stated:
Insider negligence continues to be at the root of most data breaches reported in this study but a major challenge for healthcare organizations is addressing the criminal threat. These types of attacks on sensitive data have increased 100 percent since the study was conducted in 2010 from 20 percent of organizations reporting criminal attacks to 40 percent of organizations in this year’s study.
The health care industry isn’t immune to the security concerns brought on by the rise in BYOD use and the cloud. Even though nearly nine of 10 employers allow employees to use personal devices to access the organization’s network, more than half of the companies are worried that not enough is being done to make sure those personally owned devices are secure. And 40 percent say that they believe mobile device use is a top security concern overall. The use of public cloud options has generated concerns similar to mobile use.
An article in eSecurity Planet shows why issues like employee negligence and mobile devices plague the health care industry. A lost flash drive with patient data on it has put 500 young people at risk of identity theft.
Last month I wrote that the medical industry is ripe for hackers. The Ponemon and ID Theft study adds to that theory, particularly when it comes to ACA:
Respondents in 69 percent of organizations represented believe the ACA significantly increases (36 percent) or increases (33 percent) risk to patient privacy and security. The primary concerns are insecure exchange of patient information between healthcare providers and government (75 percent of organizations), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent of organizations).
The health care industry, from doctor’s offices to insurance agencies, is fertile ground for identity thieves and hackers because of the sheer amount of PII available. Perhaps it is time to take another look at the way the health care industry handles security, especially in light of the growth of BYOD and the public cloud.