On March 12, 2014, the Ponemon Institute released its Fourth Annual Study on Patient Privacy & Data Security.The study reveals the results of research and interviews with nearly 100 healthcare organizations subject to HIPAA as covered entities. According to the study, respondents that suffered data breaches incurred an average of $2 million in losses related to the breach over a two-year period.
Covered entities, business associates, and other entities in the healthcare space should be mindful of these key findings:
- Employee Negligence Viewed as Largest Security Risk: Participating organizations expressed the most concern about employee negligence (e.g. misplaced computing device, employee mistake). Other security concerns included (1) use of public cloud services; (2) mobile device security; and (3) cyber attackers.
- Organizations Increasingly Allow Employees to Use Personal Mobile Devices: Notwithstanding the concern around employee negligence, the study revealed that 88% of respondents permitted employees to use their own mobile devices to connect to the organization’s networks or enterprise systems. At the same time, most of these organizations are skeptical of the security of such personal devices.
- Increased Risk Associated with Implementation of Affordable Care Act: Respondents expressed concerned about the potential risks associated with the increased exchange of information necessitated by the Affordable Care Act. Respondents highlighted security issues associated with the (1) exchange of patient information between healthcare providers and the government; (2) the storage of patient data on potentially insecure databases; and (3) the patient registration on potentially insecure websites.
- Increased Risk Associated with Participation in Accountable Care Organization: Likewise, respondents expressed concern over the exchange of patient health information in Accountable Care Organizations, with some participating respondents experiencing an increase in unauthorized disclosure of protected health information.
- Lack of Trust in Third-Party Vendors and/or Business Associates: Respondents lack confidence in the ability of third-parties or business associates to maintain adequate data security procedures.
- Criminal Attacks on Healthcare Organizations Have Increased by 100% Since 2010: Though insider negligence remains the highest risk, criminal threats are rising rapidly.
- Organizations Are Knowingly Not Compliant with the HIPAA Final Rule: 49% of respondents also acknowledged lack of compliance with the HIPAA Final Rule, with the most significant issue being a failure to comply with HIPAA’s post-incident risk assessment requirement.
Data breaches can cripple a healthcare organization, so it is important for those in this space to remain aware of the risks and implement policies and procedures to mitigate those risks. Among other things, covered entities and business associates should consider (1) reviewing and revising internal policies and procedures to adequately cover privacy and data security issues; (2) ensuring all employees and agents are sufficiently apprised of privacy and data security policies; (3) conducting regular audits to ensure compliance; (4) revising or creating a post-breach plan that can be quickly deployed in the event of a breach; (5) sufficiently vetting any third parties who may be exposed to PHI, prior to retaining the services of those third parties; (6) adequately allocating risk in third-party vendor agreements; and (7) reviewing and/or acquiring insurance coverage.
