If You’re in Healthcare, You’re Probably Used to Data Breaches
The 2016, Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, conducted by Ponemon Institute and sponsored by ID Experts, revealed that data breaches in healthcare are increasing, not decreasing.
Criminals are the leading cause of breaches at 50%, while the other 50% of breaches are caused by employee mistakes, unintentional actions, business associates, and stolen computer devices. The study indicated that, unfortunately, healthcare organizations and third parties are negligent in their handling of sensitive patient information. The cost to the industry is $6.2 billion.
Data breaches in healthcare remain consistently high in terms of volume, frequency, impact, and cost. 89% of healthcare companies or business associates experienced a data breach over the past two years, 79% experienced two or more, and 34% experienced two to five. A whopping 45% had more than five breaches.
The average enterprise generates over 2.7 billion actions in cloud services per month. And cybercrimes are more frequent. But the fact remains, healthcare suffers from an inordinate number of internal breaches.
There is no magic bullet for security. Bear in mind, the healthcare industry spends less than 6% on security, and the US government spends 16% and look at their data breach record. Cloud security is complicated – it is not the same as on-premises security, and because of this the learning curve is steep.
One of the newest malware programs, Defray, hot off the press in September, is highly targeted, by industry and organizational role. For example, an individual receives an email about a patient referral, opens the email and the Word attachment. The organization is now infected, and must decide whether or not to pay the ransom. Remember, you may not get your data back, even if you pay. In this case, is it the end user or inadequate security at fault?
In another example, the loss of an unencrypted, non-password protected BlackBerry device at a Texas airport contained the electronic protected health information (ePHI) of 3,800 people. I will admit, a person lost the device, but why was the device not even password-protected? And why was personal patient information being carried around an airport? Part end user error, part organizational error.
I sometimes wonder where this is all going. Organizations can take steps to be more vigilant in protecting data. Are user security profiles accurate, monitored, and up to date? Is there oversight relating to administrators and potential abuse of power? Is confidential and sensitive information protected? Is protection based on the content within the document? Is all PHI in unstructured content protected? Do you know? Is data privacy or sensitive information protected from portability, as well as access, by unauthorized users? Are vulnerabilities identified in real time or after the fact?
Our local healthcare providers have done a great job in instilling a ‘clean hands’ policy. Posters and receptacles for hand washing abound. It seems to have worked. Maybe they should tackle security next then. If you are a healthcare organization, do you take the basic precautions of keeping data safe?
Our webinars also address the topics explored in our blogs. Access all our webinar recordings and presentation slides at any time, from our website, in the Recorded Webinars area, via the Resources tab.