Many healthcare organisations say they have already suffered data breaches. Now the extended use of mobile devices, many of which are not secure, is proving an added cause for concern.
Data breaches at health organisations seem to be occurring ever-more frequently. A report* from the Ponemon Institute, an independent research and education institute, sponsored by ID Experts, a provider of comprehensive data breach solutions, which has just been published highlights the fact that 94% of the healthcare organisations surveyed have had to deal with this problem at least once and some 45% have fallen prey to such incidents more than five times in the last two years. Securing data does carry a cost, but much less than the potential costs arising from the consequences of loss or theft of protected health information (PHI) - the average annual cost to the US healthcare industry being estimated as high as $7 billion. A major cause of data breaches is that some medical devices containing confidential patient information, such as insulin pumps, are usually unsecured – the findings show that 69% of the organisations surveyed do not secure such medical devices. The report also points out that using cloud and mobile services, where ever more data is now being hosted on a range of servers which are themselves not secure, may also increase risks.
Time for a rethink on BYOD?
Over 80% of the healthcare organisations polled – hospitals, clinics and networked medical practices – permit employees and medical staff to use their own mobile equipment, such as smartphones or tablets, to connect to their networks or in-house systems such as email. However, 54% of the respondents admit they are not confident that these personally-owned mobile devices are secure. Meanwhile, 91% of hospitals surveyed are using cloud-based services to store PHI, yet around half lack confidence that the data will be kept secure in the cloud. This does not of course mean to say that such services are not in fact secure. Often the causes of security issues are management issues within the organisation itself. Such breaches often occur as a consequence of the loss or theft of a computing device (46%), unintentional employee action (42%), a criminal attack (33%) or a technical systems glitch (31%), the Ponemon survey found.
Improvements on the horizon?
Faced with these risks, 36% of the healthcare institutions say they are trying to make improvements. However according to the report, close to seven out of ten do not possess the means of monitoring to prevent and/or rapidly detect medical identity theft – three quarters stating that they simply do not have the funds. Yet data breaches put not only patient information – most often medical files or billing and insurance records – at risk but also the patients themselves. Some 39% of healthcare organisations which have experienced medical identity theft revealed that the incident had resulted in inaccuracies in the patient’s medical records, and a quarter of them said it had actually adversely affected the patient’s medical treatment.
*Third Annual Benchmark Study on Patient Privacy & Data Security