Health care data breaches are rising and many mobile devices are unprotected, according to an annual report by the Ponemon Institute.
The
Ponemon Institute, a research
firm that advises organizations on data security and privacy, has released a
new survey of the health care industry showing a 32 percent increase in data
breaches.
Data
security consulting firm ID Experts sponsored Ponemon's report, the
second-annual "Benchmark Study on Patient Privacy and Data Security,"
announced on Dec. 1. ID Experts provides assessment tools and response plans to
help organizations deal with data security issues.
For
the study, Ponemon interviewed senior personnel at 72 health care organizations
in the administration, clinical, compliance, financial, privacy and security
departments.
"Health
care organizations are either complacent about data responsibilities or are
under-resourced," Dr. Larry Ponemon, chairman and founder of the Ponemon
Institute, told
eWEEK.
Ponemon
compared a data breach to a small leak in a ship. "Data breaches don't
have to be large to be significant," he said. "Small leaks can become
big leaks pretty easily."
Three
leading causes of data breaches in health care are lost or stolen equipment,
errors by third parties and employee mistakes. In fact, sloppy mistakes by
employees have led to many data breach increases, according to 41 percent of
respondents.
Data
breaches have cost the health care industry an average of $6.5 billion annually
since 2010. With that money, the industry would have been able to hire 81,250
nurses nationwide, the Ponemon Institute reports.
Of
health care organizations surveyed, 96 percent have suffered a data breach in
the last two years.
In
addition, although 81 percent of health care organizations store personal
health data on mobile devices, 49 percent of respondents say their companies
take no steps to secure the data, according to the report.
"Unfortunately,
these devices are not being secured-they're being left in cabs, on
airplanes," Rick Kam, president and co-founder of ID Experts, told
eWEEK.
"A
lot of these organizations encourage the use of mobile devices, even personally
owned mobile devices, but they don't understand the risk," Ponemon said.
More
software will be available soon to protect mobile devices from malware, Ponemon
noted.
Meanwhile,
61 percent of health care organizations lack confidence in their knowledge of
the data's location.
The
Ponemon Institute conducted the study to better understand how health care
providers handle privacy practices and the loss of patient information.
Three
tools that health care organizations should implement to avoid data breaches
are technology, compliance with laws on data exposure, and enforcing control
practices and policy, Ponemon said.
Single
sign-on is one tech tool health care companies can use to keep data secure,
Ponemon noted.
In
a positive development, health care organizations are relying more on policies
and procedures rather than forming an "ad hoc" response, according to
the report.
In the last year,
the number of organizations that have sufficient policies has increased from 41
percent to 47 percent.
A
recent major data breach involved a
stolen
PC in October 2011 at Sutter Health, a hospital system in Northern
California, leaving data for 4.24 million patients vulnerable to theft.
In
another
incident,
involving health insurer WellPoint, an application program tracker exposed
Social Security numbers, financial information and health records from
Oct. 23, 2009, to March 8, 2010.
On
average, health care organizations notified patients of a breach within seven
weeks, according to the report. Under the 2009 Health Information Technology
for Economic and Clinical Health (HITECH) Act, health care
organizations must notify patients of a breach within 60 days.
Email
Print
