Ponemon Study on Patient Privacy Highlights Security Failings

Released today, the Ponemon Institute's Third Annual Benchmark Study on Patient Privacy & Data Security (available at, http://www2.idexpertscorp.com/ponemon2012/) starkly highlights the continued serious challenges faced by healthcare organizations in adequately safeguarding protected health information ("PHI"). As the study notes straight out of the gate "the threats to healthcare organizations have become increasingly more difficult to control" in part due to the rise of BYOD, file-sharing applications and cloud computing in parallel with "sophisticated and stealthy" criminal attacks that are on the rise since 2010.  The end result is that average costs over two years for organizations responding to PHI data breaches have risen to  $2.4 million - up from the $2.2MM and $2.1MM reflected in the analogous Ponemon studies in 2011 and 2010, respectively.  What were the key findings?  The overall news isn't good.

In short:

  • More healthcare organizations are experiencing multiple data breaches.
    • The report notes that an incredible 94% of healthcare organizations in the study have had a data breach in the past two years, with 45% reporting "more than five incidents."  That's not only an amazing figure in the abstract, but stresses that thoroughly determining the cause of a breach and following through on concrete steps to forestall future incidents must be a key aspect of any breach response.  And that proactive data security reviews are valuable cost effective measures.
  •  Data breaches can have severe economic consequences.
    • Not every data incident automatically results in a $2.4 million dollar price tag.  Indeed, the study states that the data breaches studied ranged from less than $10,000 to more than $1 million over a two-year period, but given the size of the industry the findings indicate that "the annual cost to the healthcare industry could potentially be as high as almost $7 billion" given the total number of registered hospitals in the U.S.
  • Insider negligence continues to be the primary cause of breaches.
    • People are always the weak link in any security system, but the fact that the main  causes of data loss and breaches are employee mistakes, carelessness and "third party snafus" reiterates that a KISS approach to security combined with realistic privacy risk assessments and fostering a security situational awareness culture can, perhaps more than any other measure, increase security and limit data loss incidents.  However, the report also notes, somewhat counterintuitively at first blush, that employee training "does not seem to be effective in reducing insider negligence."  The cause of this appears to be that annual or periodic privacy and security training, without more, is essentially - and we've seen this in practice - useless.  Employees toss the "manual" in a drawer and get back to work.  The key is truly fostering security awareness day in and day out otherwise the efforts spent in "training" are basically little more than feel-good exercises of wasted time and money.
  • Medical identify theft occurs and can affect patient treatment.
    • Documenting why increased "red flag" measures and other health provider point of service ID confirmation is an ongoing battle, only one third of healthcare organizations believe they have sufficient controls in place to prevent patient ID theft, with 52% of organizations reporting that they had experienced one or more incidents of medical ID theft. Let that sink in a minute.
  • Trends in mobility and employee owned devices put patient data at risk.
    • Amazingly, use of BYOD in the healthcare field is significantly higher than in other areas, with 81% of organizations allowing employees and medical staff to "use their own mobile devices" to connect to their network or enterprises, with, on average, 51% of employees BYOD'ing.  That's stunning.
  • Unsecured medical devices are vulnerable to hackers.
    • Mirroring the recent spate of news stories about the possibility of hacking of pace makers, etc., the study notes 69% of organizations do not "secure" medical devices such as wireless heart and insulin pumps, mammogram imaging and other critical health devices.  I expect this to rapidly change as awareness of the issue broadens.
  • Healthcare organizations embrace the cloud in a big way.
    • Interestingly, and in what may come as a surprise to those otherwise following cloud computing closely, the study revealed that 62% of health organizations make "moderate or heavy use of cloud services" with a paltry 9% not using cloud services in any form.  On the flip side, however, in a mode apparently embracing "hope as a strategy" 47% were not confident their information in the cloud was secure while only 23% expressed confidence in the security of their cloud services.  That strikes me as a dramatic indictment of apparently common place cloud contracting practices.
  • Concerns about the security of Health Information Exchanges (HIE) are keeping organizations from joining.
    • Security still matters to many, thankfully.  In the drumbeat chorus of bad news, the report speculates that many organizations have steered clear of joining HIE's due to a lack of confidence in HIE security and privacy of patient data.  To me that's actually good news, given the already shocking number and amount of health-related breaches documented in the study, but highlights that HIE's have their work cut out for them in raising the comfort level on security and patient privacy.
  • The ability to prevent and detect data breaches has made strides, but is far from sufficient.
    • What to say here that doesn't have us all rushing to stick our heads in the oven?  First, deep breath.  On the downside, only 40% of healthcare organizations are confident today in their ability to prevent and detect patient data loss or theft, which clearly means we're in worrying "Mayday! Mayday! Mayday!" territory.  And with every organization under fiscal and performance pressure the situation is not likely to rapidly improve.  That's the bad news.  But the report does note the positive that organizations are moving away from loosy goosey "ad hoc" processes towards regimented policies and procedures and security tech.  Good.  But we all have work to do in this area and, really, it again comes back to ensuring key personnel embrace security seriously and are then willing to personally backstop efforts to enable osmosis to imbue security awareness throughout their organizations.
  • The carrot and the stick worksSort of.
    • Or as the report puts it "compliance encourages improvements in privacy and data security" - in English, this mean HHS OCR audits and fines have thrown fear into organizations with 68% of organizations having in response conducted and documented post data breach incident risk assessments.  We all know that no one, well almost no one, enjoys the threat of HIPPA/HITECH penalties hanging over them, but it has enabled security personnel to point to the danger over the horizon and then stick a finger on their data map where it now says "Here be dragons!" to gain new attention for security efforts.
  • Barriers to achieving a stronger defense against data breaches continue to be a shortage of technologies, funding and expertise.
    • In other words, "dog bites man."  Money is always short. Crucial skills are both fleeting and in short supply.  Technology marches on at light speed.  That said, a resounding 52% (up from 41% in 2010) of organizations agreed they have "sufficient" policies and procedures in place to prevent or quickly detect unauthorized patient data access, loss or theft.   But policies and procedures are one thing.  The proof of the pudding comes in when the data hits the road and on that front significant road rash was reported with only 27% of organizations stating they have enough security resources and 34% claiming their security budgets were satisfactory.   As any road racer knows "your vehicle/cycle steers to where you're looking."  No, that's not a Zen koan.

Overall, the Ponemon Third Annual Benchmark Study on Patient Privacy and Data Security is a sobering, but extremely useful read, and at 37 pages is comprehensive without being overwhelming.   Frankly, I'd recommend that every healthcare organization (or business associate) that interacts with PHI should plan on scheduling a meeting with IT, legal and C-level executives to, at least, review the study's executive summary and then develop sound, sensible and serious benchmarks for 2013 to address its findings and the yawning gap that continues to exist in data security around PHI.