In fact, 69% of respondents believe Obamacare increases or significantly increases risk to patient security and privacy, the study said. Three-fourths are concerned about the exchange of data between healthcare providers and government agencies; 65% worry about patient data being stored in insecure databases; and 63% cited patient registration on insecure websites.
Likewise, 66% of accountable care organizations (ACOs) believe the risks to patient privacy and security due to the exchange of patient health information has grown. Confidence in health information exchange security is low, too: 32% are somewhat confident and 40% are not confident in exchanges' ability to securely share patient data.
Vulnerabilities are especially worrisome given the growing criminal interest in healthcare records. Criminal attacks on hospitals increased 100% in four years, demonstrating both the value thieves place on patient records and the many ways data is lost and stolen.
Of the 91 health organizations studied, 90% suffered at least one data breach in the past two years, said Larry Ponemon during a conference call. The number of organizations suffering multiple breaches has declined, though, according to the study. Thirty-eight percent of respondents said they had five or more incidents, a decline from last year's study when 45% of respondents had more than five breaches. Organizations were also slightly more optimistic about their ability to detect breaches, the report said.
"It's nothing to celebrate because it's a little too early to call it a trend," Ponemon said. "Maybe healthcare organizations are doing a better job of protecting patient data."
The government has also stepped up enforcement, he said. Some organizations buy cyber liability insurance, which often includes the services of a breach manager, if needed, added Rick Kam, president and co-founder of ID Experts, which sponsored the study.
"That number when we first started to do this research back in 2010 was near 20%. The number has doubled to 40%. There's evidence from other places that cybercriminals are starting to find real value in patient information," said Ponemon.
Whereas stolen Social Security numbers are viable for only a few hours, thieves can use pilfered health insurance numbers to steal expensive medical services, defraud Medicare or Medicaid, or write prescriptions for drugs, said Kam. On the black market, a Social Security number sells for $1; a health insurance number commands $50, he said.
Negligence poses the biggest risk, according to 75% of those surveyed. Public cloud services (41%), mobile device insecurity (40%), and cyberattackers (39%) round out the list. Most organizations disregard their BYOD fears, with 88% of respondents saying they have a BYOD policy in place for employees' mobile devices. Likewise, despite concerns over cloud security, 40% of healthcare organizations use this technology heavily.
Healthcare providers don't trust their partners, however, when it comes to ensuring data security. According to the report, 40% are not confident and only 30% are confident or very confident that business associates would detect a breach, perform an incident risk assessment, and notify them after a data breach. They are especially concerned about IT providers, claims providers, and benefits management.
Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)
Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio
Healthcare Data Breaches Cost More Than You ThinkHealthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?