As the use of mobile devices, file-sharing software and cloud services has been on the rise among healthcare providers, data breaches have been rising steadily along with them. A hefty 94 percent of healthcare organizations who participated in an annual survey said they had at least one data breach in the past two years.
What’s more startling is that 45 percent said they’d had more than five incidents, and half reported little or no confidence that their organization had the ability to detect all patient data loss or theft.
For its Third Annual Study on Patient Privacy & Data Security, published in December, the Ponemon Institute surveyed 324 administrative and clinical personnel at healthcare facilities – most of them hospitals or clinics that are part of a network or integrated delivery systems. Those personnel reported that the most commonly breached data are medical files and billing and insurance records, lost or stolen most often from a desktop, laptop or smartphone.
Interestingly, although the number of data breaches has gone up, those surveyed reported increasing confidence that patient billing information and medical records would not be susceptible to loss or theft. In contrast, many more felt that employee records were the most susceptible data.
While many new technology applications pose the advantage of greater efficiency and convenience to healthcare providers, they also open the door for the unsecure transmission of data that may be behind some of these breaches. For example, eight of 10 organizations surveyed allow personnel to bring their own devices and use them to connect to the organization’s network. More than 60 percent of the organizations surveyed also reported moderate or heave cloud usage, although almost 50 percent said they weren’t confident that the cloud was secure.
While most organizations reported compliance with periodic HIPAA privacy and security awareness training for staff, they still reported that the second-most-common cause of lost or stolen data was an employee mistake, following a lost or stolen computing device.
Comment by Senior InfoWatch Analyst Nikolai Fedotov: «This is a rare case when Russian patients are in a better state than American. Patient data are not in demand on the Russian black market. Fraudsters tried to bluff Russian patients using their PD, but they had no success because of both risky and too simple methods. American frauds have more opportunities for medical records theft which are less risky. For the decades medical PD have been in demand on the U.S. black market and therefore have higher value. Thus they are leaked more frequently and via more sophisticated schemes. Until the US minimizes the demand for medical PD, prevention of data breaches will remain difficult and expensive».