After financial services, perhaps nowhere is the risk greater to both provider and client than in health care when a data breach or loss occurs. And it seems that good data protection practices are falling by the wayside in the scramble to digitize, organize and share that data.
The Ponemon Institute just released a report on a survey of IT and health care professionals in 80 organizations that it carried out for ID Experts. Among other findings, Ponemon reports that:
- 94 percent of hospitals had suffered data breaches
- 45 percent had suffered more than five breaches
- Well over 21 million patients have been affected by health care organization breaches
- Data breaches have cost health care organizations the U.S. $7 billion
Survey respondents said their organizations lack needed controls to prevent or detect medical identity theft (67 percent), and few conduct privacy risk assessments (16 percent). Two-thirds say they lack the budget to minimize these incidents, 73 percent lack other resources to prevent and detect incidents, and only 36 percent have improved programs in response to the threat of audits.
The survey touched on the huge threat from BYOD in health care settings, a finding echoed in other recent research from the Spyglass Consulting Group.
To make matters more complicated, Susan Hall wrote recently about how entrenched hiring practices within health care organizations are preventing some qualified IT professionals from being able to break into this growth area.
The pressure on organizations to control data and the spiraling costs of breaches is creating a training and hiring niche. One approach toward addressing both is a new partnership announced between the non-profit Health Information Trust Alliance (HITRUST) and certification provider ISC2. Now in its early stages, the partnership will tackle in January 2013 the identification of the “major job requirements and subsequently the knowledge and skills needed by a healthcare information protection professional to fulfill these requirements.”
Says Daniel Nutkis, chief executive officer for HITRUST, in the partnership announcement,
“Our experience has shown us that organizations with more knowledgeable security professionals manage information risks better and have more advanced information security programs. Healthcare organizations will benefit from having a simpler method to ensure their information protection professionals have the appropriate skills.”