Healthcare // Security & Privacy
News
3/13/2014
09:06 AM
Connect Directly
RSS
E-Mail
100%
0%

Obamacare Vs. Patient Data Security: Ponemon Research

Healthcare professionals worry that healthcare regulations mandating patient data exchange are luring more data thieves, says Ponemon study.

10 Waiting Room Apps That Engage Patients
10 Waiting Room Apps That Engage Patients
(Click image for larger view and slideshow.)

Healthcare professionals believe the Affordable Care Act jeopardizes the safety of patient data, according to Ponemon Institute's Fourth Annual Benchmark Study on Patient Privacy and Data Security

In fact, 69% of respondents believe Obamacare increases or significantly increases risk to patient security and privacy, the study said. Three-fourths are concerned about the exchange of data between healthcare providers and government agencies; 65% worry about patient data being stored in insecure databases; and 63% cited patient registration on insecure websites. 

Likewise, 66% of accountable care organizations (ACOs) believe the risks to patient privacy and security due to the exchange of patient health information has grown. Confidence in health information exchange security is low, too: 32% are somewhat confident and 40% are not confident in exchanges' ability to securely share patient data.

Vulnerabilities are especially worrisome given the growing criminal interest in healthcare records. Criminal attacks on hospitals increased 100% in four years, demonstrating both the value thieves place on patient records and the many ways data is lost and stolen.

[Who's to blame for Oregon's insurance website fail? Read Oracle: Villain Or Scapegoat In Oregon Insurance Exchange Mess?]

Of the 91 health organizations studied, 90% suffered at least one data breach in the past two years, said Larry Ponemon during a conference call. The number of organizations suffering multiple breaches has declined, though, according to the study. Thirty-eight percent of respondents said they had five or more incidents, a decline from last year's study when 45% of respondents had more than five breaches. Organizations were also slightly more optimistic about their ability to detect breaches, the report said.

"It's nothing to celebrate because it's a little too early to call it a trend," Ponemon said. "Maybe healthcare organizations are doing a better job of protecting patient data."

The government has also stepped up enforcement, he said. Some organizations buy cyber liability insurance, which often includes the services of a breach manager, if needed, added Rick Kam, president and co-founder of ID Experts, which sponsored the study.  

"That number when we first started to do this research back in 2010 was near 20%. The number has doubled to 40%. There's evidence from other places that cybercriminals are starting to find real value in patient information," said Ponemon.

Whereas stolen Social Security numbers are viable for only a few hours, thieves can use pilfered health insurance numbers to steal expensive medical services, defraud Medicare or Medicaid, or write prescriptions for drugs, said Kam. On the black market, a Social Security number sells for $1; a health insurance number commands $50, he said.

Negligence poses the biggest risk, according to 75% of those surveyed. Public cloud services (41%), mobile device insecurity (40%), and cyberattackers (39%) round out the list. Most organizations disregard their BYOD fears, with 88% of respondents saying they have a BYOD policy in place for employees' mobile devices. Likewise, despite concerns over cloud security, 40% of healthcare organizations use this technology heavily.

Healthcare providers don't trust their partners, however, when it comes to ensuring data security. According to the report, 40% are not confident and only 30% are confident or very confident that business associates would detect a breach, perform an incident risk assessment, and notify them after a data breach. They are especially concerned about IT providers, claims providers, and benefits management.

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
3/17/2014 | 9:50:33 AM
Re: All depends on implementation
That's interesting, @moarsauce. For one thing, it shows just how far behind the US has been in terms of adopting technology within healtcare. For another, it demonstrates how secure these systems can be, when implemented well. One thing I wonder, though: What disclosure laws does Germany have if a healthcare provider's data is breached? Does an organization have to notify patients, partners, etc., if data's potentially been lost or stolen and what are the criteria (for example, after 500 records are affected; within 30 days...)? 
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
3/15/2014 | 10:03:15 AM
All depends on implementation
Germany has EHRs for almost two decades and there is no known data breach so far. It all comes down to implementation and maybe not always going with the cheapest solution possible.
Alison_Diana
0%
100%
Alison_Diana,
User Rank: Author
3/13/2014 | 5:31:02 PM
Re: What's the Obamacare connection?
The study is a result of a poll so it's perception, not necessarily reality, that ACA puts patient data at risk. Some reasons: Pure and simple, more people sending health-related information to central locations, and the sheer volume of health data being exchanged by private and government agencies. Even though there were some downward shifts in breaches, there isn't much to celebrate and the industry has to do more. Healthcare security execs predict a Target-like breach for this business; with sites like Healthcare.gov, cybercriminals have one more very attractive target in their sights.
David F. Carr
100%
0%
David F. Carr,
User Rank: Author
3/13/2014 | 9:51:45 AM
What's the Obamacare connection?
Is the study saying that the health insurance exchanges in particular pose a cybersecurity hazard? I get that theft of a health insurance ID number is particularly valuable to the thief, but I'm not sure the insurance number is ever issued through that service. More likely that insurance numbers would be associated with patient records in a hospital or provider system that was breached.

Are there other provisions of Obamacare, besides the creation of the exchanges that encourage/require sharing of health information in some risky way? I associate most of the stuff about health insurance exchange more with the Meaningful Use program.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.