One of the key threats to hospitals and the patient records they manage is the unproven security in the health insurance marketplaces, created as a result of the Affordable Care Act (ACA), according to a report from the Ponemon Institute.
The study revealed that other top threats include criminal attacks; employee negligence; unsecured mobile devices, such as smartphones, notebooks and tablets; and third parties, which are all causing organizations to scramble.
Nearly 70 percent of respondents said they believe the Affordable Care Act has increased or significantly increased risk to millions of patients because of inadequate security.
The concerns include insecure exchanges between health care providers and government (75 percent), insecure databases (65 percent), and insecure Websites for patient registration (63 percent).
One-third of organizations surveyed say they do not plan to become a member of a health information exchange (HIE), and 72 percent are not confident or only somewhat confident in the security and privacy of patient data shared on HIEs.
Data breaches now cost health care organizations $5.6 billion annually, slightly lower than past years. Ninety percent of respondents had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period.
While the total number of data breaches in health care has declined slightly—indicating that health care organizations are making some progress—the threats to patient data remain high.
Many organizations remain overwhelmed and struggle with incident management and compliance with the myriad of regulations, the report noted.
"Employee negligence, such as a lost laptop, continues to be at the root of most data breaches in this study. However, the latest trend we are seeing is the uptick in criminal attacks on hospitals, which have increased a staggering 100 percent since the first study four years ago," Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. "The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality."
Seventy-five percent of organizations cite employee negligence as their biggest security worry, as they increase exposure to sensitive data by the growing use of their personal unsecured devices, the report found.
In addition, more than half of organizations are not confident that the personally owned mobile devices are secure, and yet, 38 percent of organizations don't take steps to ensure these devices are secure or prevent them from accessing sensitive information.
"It's been a year since the HIPAA Final Rule was issued, and we have seen healthcare organizations make some good progress towards complying with federal privacy and security guidelines and better safeguarding patient information. However, because the threats and risks are shifting, organizations are in a constant state of catch up," Rick Kam, president and co-founder of ID Experts, said in a statement. "It's like a bucket filled with water, with holes in it. The water keeps spurting out, and every time you patch one hole, a new hole forms. The process of patching old and new holes is overwhelming, and this new data validates that issue."