The Fourth Annual Patient Privacy and Data Security Survey, published in March, revealed new and expanded threats to the security and privacy of patient information in the U.S. healthcare system. The independent survey was completed by the Ponemon Institute and analyzed responses from 91 hospitals and clinics collected over a three month period ending in January of 2014.
Overall, the survey found that complying with increasingly complex federal and state privacy and security regulations continue to be an ongoing challenge for healthcare organizations.While the total number of data breaches for those organizations surveyed has declined since the first survey, every respondent reported at least one data breach in the past year.
Key findings included:
- Criminal attacks have risen 100% since the study was first conducted in 2010, with 40% of respondents reporting criminal attacks. Addressing these threats continues to be a major challenge for healthcare organizations.
- Insider negligence continues to be the most common cause of a data breach, with 49% of breaches occurring as a result of a lost or stolen computing or mobile device. Seventy-five percent of organizations considered “employee negligence” as their biggest worry.
- Bring Your Own Device (BYOD) practices were permitted at 88% of the organizations surveyed. More than half of these organizations were not confident that these devices are secure when they are connected to the organization’s network or systems such as email. The most common methods used to secure these mobile devices include limiting access to critical systems when connected, requiring users to read and sign an acceptable use policy, or limiting or restricting the download of PHI to the devices.
- Despite an increase in reliance on cloud services, only one-third of respondents were confident that information stored in a public cloud environment is secure.
- Seventy-three percent (73%) of organizations are either somewhat confident or not confident that their HIPAA business associates would be able to detect data breaches, perform incident risk assessments or notify them in the event of a breach. Only 30% of organizations are very confident or confident that business associates are appropriately safeguarding patient data as required by the Final Rule.
- Organizations rely on policies and procedures to achieve compliance and secure protected health information. However, budget, technologies and access to resources needed to safeguard patient information from a data breach are unfortunately, not as available.
They survey methodology included the analysis of responses from employees working in compliance, IT, patient services or privacy. Forty-two percent (42%) of the 91 participating providers had a bed capacity of 301-600 beds. It is important to note that the sample size is very small, and applies mainly to larger organizations, so great care should be taken for any generalization of these findings. However, while the survey sample is small, we do feel this study merits attention as it identifies trends over a four-year period that may be applicable to other similar organizations.
The full study is available for download here. (Please note this requires registration.)
