Ponemon Institute Issues its Fourth Annual Study On Patient Privacy & Data Security

On March 13 the Ponemon Institute issued its Fourth Annual Study on patient privacy & data security. This study has come to be a respected and well received assessment of the privacy and security of patient information in health care. The study is based upon a survey of 91 health care providers of different sizes. I have summarized the key findings of the study for you, but if you wish to read the entire report, contact me and I am glad to send you a copy, or you can find it at:  http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient-privacy-and-data-security.

1. 1. Ninety percent of health care organizations in the study had at least one data breach in the previous 2 years. The number of organizations that experienced more than 5 data breach incidents actually declined from 45% in last year’s report,  to 38%. Billing and insurance records are the type of patient data most often lost or stolen, followed by medical files.

1. 1. Respondents in 69% of the organizations believe the Affordable Care Act significantly increases risk to patient privacy and security. The main concerns were insecure exchange of patient information between health care providers and the government, patient data existing on insecure databases, and patient registration on insecure websites.

1. 1. Organizations do not have confidence in the security of Health Information Exchanges. A Health Information Exchange is defined as the mobilization of health care information electronically across organizations within a region, community or hospital system.

1. 1. Criminal attacks on health care organizations have increased 100% since 2010. Insider negligence continues to be at the root of most data breaches reported, but a major challenge for health care organizations is addressing the criminal threat.

1. 1. Employee negligence is considered the biggest security threat, as it is the biggest worry for 75% of the organizations that participated in the study. The primary cause of breaches is a lost or stolen computing device, which can be attributed in many cases to employee carelessness. This is followed by employee mistakes or unintentional actions, and third party snafus.

1. 1. Employees and medical staff are allowed to use their own mobile devices such as smart phones or tablets to connect to the their organizations networks at 88% of the organizations. More than half the organizations are not confident that the personally owned mobile devices are secure. Very few organizations require their employees to take security precautions such as placing anti-virus/anti-malware software on their mobile device.
   2. The use of the cloud continues to increase as 40% of organizations say they use the cloud heavily. This is in spite of the fact that only one-third of the organizations are confident that information in a public cloud environment is secure.

1. 1. Fifty five percent of organizations have policies and procedures that they believe effectively prevent or quickly detect unauthorized patient data access, loss or theft.

1. The business associates that are thought to present the greatest risk to privacy and security are IT service providers. This is followed by claims processors, and benefits management personnel.

I hope this short summary of the key findings of the Ponemon study provide you with some insight as to the trends and concerns for health care organizations, and help you plan for the security and privacy of data in your own organization.