94% of Study Participants Experience More than One Data Breach Past Two Years

Each year the Ponemon Institute releases a benchmark study looking at patient privacy and security issues. This year’s study reveals the battle the healthcare industry faces in efforts to contain data breaches, with three out of  five healthcare organizations not allocating enough resources to protect patient data.

The Third Annual Benchmark Study on Patient Privacy & Data Security was released by the Ponemon Institute on December 6. The study was sponsored by ID Exerts. We caught up with the Ponemon Institute’s Chairman Larry Ponemon, and ID Experts President Rick Kam, to ask them a few questions about the study results.

Q: First, this is the third annual Benchmark Study on Patient Privacy & Data Security conducted by the Ponemon Institute. Can you give us a little background on the genesis of the study and its purpose?

Larry Ponemon A:The goal of the study is to focus on understanding trends in actual data loss or theft experience of healthcare organizations and their ability to respond to HIPAA, HITECH and other regulations. Specifically the benchmark study interviewed healthcare professionals in 80 organizations about the activities that resulted in the discovery of data loss or theft, escalation of the incident to appropriate parties within the organization, execution of risk assessment procedures, notification procedures and after-the-fact consequences to the organization. We hope the findings of this research will be of help to other healthcare organizations concerned about their ability to prevent data breaches and strengthen their security posture.

Q: You write in the study’s introduction “More healthcare organizations are having several breaches. Ninety-four percent of healthcare organizations in this study have had at least one data breach in the past two years”. What are some of the attributing factors to this increase in breaches? 

Larry Ponemon A: The top reasons are lost or stolen devices containing patient data and negligent insiders. We believe that healthcare organizations need to address these risks to be able to reduce the increase in data breaches.

Q: The 4th annual mHealth Summit was recently held in Washington, D.C. What are some of the challenges organizations will face in securing data in an increasing mHealth world?

Larry Ponemon A: We see the proliferation of mobile devices in healthcare to deliver services more efficiently and to increase convenience for healthcare providers. However, as the study shows, there is not a lot of confidence in securing mobile devices. We suggest that healthcare organizations assess the security posture of their organizations and create and enforce policies for the secure use of mobile devices.

Q: The study also makes reference to healthcare providers’ concerns about the security of personal health information through Health Information Exchanges (HIE) and that these concerns are keeping providers from joining HIEs. How do you see these concerns being overcome?

Larry Ponemon A: Healthcare providers are concerned about the security of sharing patient data with other parties. Transparency about the patient data is being used and demonstration that stringent security protocols are in place may overcome the concerns of healthcare providers.

Q: What are some of the barriers providers face in building a greater defense against data breaches and what are some suggestions would you offer to overcome these barriers?

Rick Kam A: Providers and other healthcare professionals probably face two challenging barriers.  The first is resistance to change.  It seems as if we are all more likely to do things the same “old” way than try new ways to solve the problem of data breaches.  Secondarily, having a perspective of the “value” of PHI so that management can make an appropriate level of investment to protect it.  Solving the second challenge will go a long way to helping solve the first challenge.  The American National Standards Institute sponsored a white paper to help privacy and security professionals determine the “value at risk” of PHI their organizations manage.  Go to www.ansi.org/phi to get a free copy of this white paper.

Q. Finally, what are some of the biggest takeaways from this report and what area(s) do you see as “mission critical” to ensure next year’s report shows improvement?

Rick Kam A:  I have five recommendations for healthcare organizations:

1. A: Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes
2. Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security
3. Conduct combined privacy and security compliance assessments annually
4. Update policies and procedures to include mobile devices and cloud
5. Ensure the Incident Response Plan (IRP) covers business associates, partners, cyber insurance

You can download the full benchmark study at ID Experts.