Some Startling Facts from a Recent Data Security Study
In the movie Forrest Gump, there is a famous quote: “Life is like a box of chocolates; you never know what you’re going to get.” This simple statement eloquently captures the infinite possibilities of the future. However, at the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, hosted by the Ponemon Institute in May 2015, the revelations presented were far more shocking than a box of delicious chocolates. One key finding from the study was that criminal attacks targeting healthcare data had surged by 125%, becoming the leading cause of healthcare data breaches. Other research findings were equally alarming. VCBeat has compiled the main insights from this conference to help readers understand the critical importance of healthcare data security today and the severe challenges it faces.
Surprise 1: 65% of healthcare organizations provide no protective services to patients whose information has been lost or stolen. As cyber threats to medical data intensify, this situation is undoubtedly undesirable. Ironically, the Ponemon study also found that 65% of healthcare organizations believe that patients whose information has been lost or stolen are more susceptible to medical identity theft.
According to Ponemon Institute’s study, “The Fifth Annual Study on Medical Identity Theft” (2014), commissioned by the Medical Identity Fraud Alliance, medical identity theft incidents nearly doubled over five years, rising from 1.4 million adult victims to more than 2.3 million in 2014. Many victims of medical identity theft reported spending an average of nearly $13,500 to restore their credit, repay fraudulent claims made to healthcare providers, and correct erroneous medical records. For patients whose medical records have been compromised, healthcare organizations and their business associates must act promptly to provide medical identity monitoring and identity restoration services.
On the other hand, most people remain unaware of the severe risks posed by medical identity theft. They tend to prioritize their credit scores and financial information, while paying far less attention to insurance benefit utilization or medical records. What they fail to realize is that while credit cards can be replaced quickly and conveniently, restoring a compromised medical identity may take years. Once their medical records are misused, patients risk misdiagnosis, inappropriate treatment, denial of urgently needed care, or being billed for services they never received. As Bob Gregg, CEO of ID Expert, warns, medical identity theft can cost you your life.
Surprise 2: The average cost of healthcare data breaches has remained consistent over the past five years at $2.1 million. In contrast, according to another recent report by Ponemon, “Cost of a Data Breach Study 2015: Global Analysis,” the average cost of data breaches has risen by 23% over the past two years, reaching $3.79 million. Cyber liability insurance, which covers notification costs, enhanced identity monitoring services, and access to more privacy attorneys who can provide assistance, among other measures, can help reduce the cost of healthcare data breaches over time.
Healthcare organizations can take proactive measures to reduce the likelihood and impact of data breaches. This means they need to address tactical issues related to protecting patient data. According to Dr. Larry Ponemon, founder and chairman of the Ponemon Institute, healthcare organizations are facing “the dual challenge of reducing internal risks and malicious external risks. Both require different approaches, which can be somewhat overwhelming even for those with the most robust IT security budgets.”
According to the Ponemon Report, 96% of healthcare organizations have experienced security incidents involving lost or stolen devices, with employee negligence being the top concern for these organizations. Dr. Ponemon stated that healthcare providers should “establish a more proactive training and education program to enhance employee security awareness, and invest in technologies that safeguard patient data on mobile devices and prevent the leakage of sensitive information.”
These training and educational programs should center on the protection of Protected Health Information (PHI), particularly focusing on how to avoid phishing emails and how to ensure that data is not breached. Healthcare organizations must also work closely with their business associates to ensure that they have implemented similar plans. Furthermore, reference can be made toTen Strategies for Protecting Patient Data。
Regarding external risks, such as the increasing number of criminal attacks, Dr. Ponemon stated that healthcare providers must “assess which sensitive data require monitoring and protection, as well as where this data is located.” It should be added that, as mentioned above, professional hackers target medical data and records, and attacks aimed at these assets are currently the leading cause of healthcare data breaches; boards of directors and senior management in healthcare institutions must recognize this reality and drive enterprise-wide adjustments to address cyber threats.
Surprise 3: Many healthcare organizations adopt specialized methods for accident risk assessment. The study found that only 50% of healthcare organizations conducted risk assessments based on the four key factors for each security incident, as required by the HIPAA Final Rule. Among the remaining 50%, 34% of the organizations used specialized risk assessment procedures, while 27% relied on internally developed manual procedures or tools.
This approach is inadvisable. Healthcare organizations can now leverage software tools to automate and streamline assessment processes, such as risk assessments and data breach response. By facilitating consistent and objective analysis of security incidents, providing a central repository for all incident information, and simplifying documentation and reporting workflows, these tools can enhance the effectiveness of data protection. This allows privacy and security personnel within the organization to be freed from administrative burdens, enabling them to devote more time to preventive measures.
So far, 2015 has performed poorly in protecting patients and data. The increasing number of cyberattacks means that more patients and data are at risk. Although security incidents are unavoidable, people can still learn lessons from Ponemon's research and work together to ensure that next year is filled with pleasant surprises rather than shocks.
Compiled by: Chen Xin; Edited by: Mo Renying