Human error tops Ponemon patient data security study threats

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2014/03/12/human-error-tops-ponemon-patient-data-security-study-threats/

The Ponemon Institute's fourth annual Patient Privacy & Data Security Study
reviewed new and expanded threats of patient data security and privacy.
Based on the results of the study, human error continues to be the biggest
source of healthcare data breaches, as 75 percent of organizations view
employee negligence as the greatest breach threat.

The sample size of healthcare providers that Ponemon was able to interview
rose from 80 in 2012 to 91 this year for a total of about 388 1-on-1
interviews completed over a three-month period concluding in January 2014.
The study covered a wide range of topics, including the need to reduce both
internal and external threats, HIPAA compliance trends, mobile device
security and cloud security. Following negligence, organizations said its
biggest security concerns were use of public cloud services (41 percent),
mobile device insecurity (40 percent) and cyber attackers (39 percent).

According to the study, 90 percent of respondents said they've had at least
one data breach over the past two years and 38 percent (down from 45
percent last year) of that 90 percent said that they had more than five
data breaches over the two-year period. "Probably the only positive result
here that was favorable to the healthcare industry is the reality that data
breach frequency and cost declined slightly over the past year when
compared to prior years," Larry Ponemon, chairman and founder of the
Ponemon Institute, said in an interview with HealthITSecurity.com. "This
may be an indication that organizations are making good but modest progress
in managing sensitive patient data."

The primary causes of breaches were lost or stolen computing devices (49
percent), employee mistakes or unintentional actions (46 percent), and
third-party snafus (41 percent). The rate of data breaches with a root
cause of either a malicious insider or hacker has doubled from 20 percent
of all incidents to 40 percent since the Ponemon Institute first started
doing the study 4 years ago. There are some pattern changes, but that's
probably the biggest change of all, said Ponemon.

> From an economic standpoint, one or more data breaches for healthcare
organizations in this study ranges from less than $10,000 to more than $1
million over a two-year period. And Ponemon calculated that the average
economic impact of data breaches over the past two years for the healthcare
organizations represented in this study is $2.0 million, down from nearly
$400,000 (17 percent) since last year. Part of these figures is that the
size of the breaches decreased, as the average number of lost or stolen
records per breach went down from 3,000 records to 2,150. At Ponemon's
estimated $188 per record, one breach may cost upwards of $404,200.

Three of the more critical themes in the report were mobile security, cloud
security and HIPAA compliance. According to the report, 88 percent of
organizations allow employees and medical staff to use BYOD devices, but
more than half are not confident that the personally-owned mobile devices
or BYOD are secure. Furthermore, few organizations said they mandate
anti-virus/anti-malware software to reside on the mobile device prior to
connection (23 percent). Even less requirescanning devices for viruses and
malware prior to connection (22 percent) and scanning devices and removal
of all mobile apps that present a security threat prior to connection (14
percent). "We do see that one of the great sources of a data breach is the
loss of devices and now there are more devices, such as tablets or smart
phones, being used in the workplace," Ponemon said.

A mere one-third of respondents said they are very confident or confident
that information in a public cloud environment is secure. However, 40
percent of organizations say they use the cloud (such as backup and
storage, file-sharing applications, business applications and document
sharing and collaboration) heavily, up from 32 percent last year.

And 51 percent of respondents said they are in full HIPAA compliance, while
49 percent report they are not compliant or are only partially compliant.
Additionally, 39 percent say their incident assessment process is not
effective and cite a lack of consistency and inability to scale their
process as the primary reasons. Moreover, 73 percent of organizations are
either somewhat confident (33 percent) or not confident (40 percent) that
their business associates would be able to detect, perform an incident risk
assessment and notify your organization in the event of a data breach
incident as required under the business associate agreement (BAA). And 44
percent of organizations say the HIPAA Omnibus Rule has affected their
programs, while 41 percent say it has not and 15 percent say it is too
early to tell.

Rick Kam, president and co-founder of ID Experts, said part of the strategy
that HIPAA and HITECH covered entities have been taking is to try to just
be compliant without looking at the broader, cross-industry security risks.
As some organizations have learned, compliance with HIPAA doesn't
necessarily mean an organization has good security.

Organizations are trying to do things that OCR or HHS suggests, whether it
be better training or policies and procedures. Where I think they're
missing the boat, as we've seen this in several recent incidents, is that
healthcare ecosystems are becoming more and more complex. Instead of
relying on telling an employee that, for example, that they're responsible
for protecting PHI, there should be technologies and tools in place, such
as encryption, that make it less likely that the employee has to do
anything to protect the data.

Other key findings included:

- Respondents in 69 percent of organizations represented believe the ACA
significantly increases or increases the risk to patient privacy and
security. The primary concerns are insecure exchange of patient information
between healthcare providers and government (75 percent of organizations),
patient data on insecure databases (65 percent) and patient registration on
insecure websites (63 percent of organizations).

- Fifty-one percent of organizations say they are part of an Accountable
Care Organization (ACO) and 66 percent say the risks to patient privacy and
security due to the exchange of patient health information among
participants has increased.

- 72 percent of respondents say they are only somewhat confident (32
percent) or not confident (40 percent) in the security and privacy of
patient data share on HIEs.

- Less than half of the organizations in this study report they are in full
compliance (25 percent) or nearly in full compliance (23 percent) with the
Accounting of Disclosures (AOD) requirement.

- Respondents deemed billing and insurance records and medical files are
the most likely to be lost or stolen.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!