Obamacare Vs. Patient Data Security: Ponemon Research - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
09:06 AM

Obamacare Vs. Patient Data Security: Ponemon Research

Healthcare professionals worry that healthcare regulations mandating patient data exchange are luring more data thieves, says Ponemon study.

10 Waiting Room Apps That Engage Patients
10 Waiting Room Apps That Engage Patients
(Click image for larger view and slideshow.)

Healthcare professionals believe the Affordable Care Act jeopardizes the safety of patient data, according to Ponemon Institute's Fourth Annual Benchmark Study on Patient Privacy and Data Security

In fact, 69% of respondents believe Obamacare increases or significantly increases risk to patient security and privacy, the study said. Three-fourths are concerned about the exchange of data between healthcare providers and government agencies; 65% worry about patient data being stored in insecure databases; and 63% cited patient registration on insecure websites. 

Likewise, 66% of accountable care organizations (ACOs) believe the risks to patient privacy and security due to the exchange of patient health information has grown. Confidence in health information exchange security is low, too: 32% are somewhat confident and 40% are not confident in exchanges' ability to securely share patient data.

Vulnerabilities are especially worrisome given the growing criminal interest in healthcare records. Criminal attacks on hospitals increased 100% in four years, demonstrating both the value thieves place on patient records and the many ways data is lost and stolen.

[Who's to blame for Oregon's insurance website fail? Read Oracle: Villain Or Scapegoat In Oregon Insurance Exchange Mess?]

Of the 91 health organizations studied, 90% suffered at least one data breach in the past two years, said Larry Ponemon during a conference call. The number of organizations suffering multiple breaches has declined, though, according to the study. Thirty-eight percent of respondents said they had five or more incidents, a decline from last year's study when 45% of respondents had more than five breaches. Organizations were also slightly more optimistic about their ability to detect breaches, the report said.

"It's nothing to celebrate because it's a little too early to call it a trend," Ponemon said. "Maybe healthcare organizations are doing a better job of protecting patient data."

The government has also stepped up enforcement, he said. Some organizations buy cyber liability insurance, which often includes the services of a breach manager, if needed, added Rick Kam, president and co-founder of ID Experts, which sponsored the study.  

"That number when we first started to do this research back in 2010 was near 20%. The number has doubled to 40%. There's evidence from other places that cybercriminals are starting to find real value in patient information," said Ponemon.

Whereas stolen Social Security numbers are viable for only a few hours, thieves can use pilfered health insurance numbers to steal expensive medical services, defraud Medicare or Medicaid, or write prescriptions for drugs, said Kam. On the black market, a Social Security number sells for $1; a health insurance number commands $50, he said.

Negligence poses the biggest risk, according to 75% of those surveyed. Public cloud services (41%), mobile device insecurity (40%), and cyberattackers (39%) round out the list. Most organizations disregard their BYOD fears, with 88% of respondents saying they have a BYOD policy in place for employees' mobile devices. Likewise, despite concerns over cloud security, 40% of healthcare organizations use this technology heavily.

Healthcare providers don't trust their partners, however, when it comes to ensuring data security. According to the report, 40% are not confident and only 30% are confident or very confident that business associates would detect a breach, perform an incident risk assessment, and notify them after a data breach. They are especially concerned about IT providers, claims providers, and benefits management.

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/17/2014 | 9:50:33 AM
Re: All depends on implementation
That's interesting, @moarsauce. For one thing, it shows just how far behind the US has been in terms of adopting technology within healtcare. For another, it demonstrates how secure these systems can be, when implemented well. One thing I wonder, though: What disclosure laws does Germany have if a healthcare provider's data is breached? Does an organization have to notify patients, partners, etc., if data's potentially been lost or stolen and what are the criteria (for example, after 500 records are affected; within 30 days...)? 
User Rank: Ninja
3/15/2014 | 10:03:15 AM
All depends on implementation
Germany has EHRs for almost two decades and there is no known data breach so far. It all comes down to implementation and maybe not always going with the cheapest solution possible.
User Rank: Author
3/13/2014 | 5:31:02 PM
Re: What's the Obamacare connection?
The study is a result of a poll so it's perception, not necessarily reality, that ACA puts patient data at risk. Some reasons: Pure and simple, more people sending health-related information to central locations, and the sheer volume of health data being exchanged by private and government agencies. Even though there were some downward shifts in breaches, there isn't much to celebrate and the industry has to do more. Healthcare security execs predict a Target-like breach for this business; with sites like Healthcare.gov, cybercriminals have one more very attractive target in their sights.
David F. Carr
David F. Carr,
User Rank: Author
3/13/2014 | 9:51:45 AM
What's the Obamacare connection?
Is the study saying that the health insurance exchanges in particular pose a cybersecurity hazard? I get that theft of a health insurance ID number is particularly valuable to the thief, but I'm not sure the insurance number is ever issued through that service. More likely that insurance numbers would be associated with patient records in a hospital or provider system that was breached.

Are there other provisions of Obamacare, besides the creation of the exchanges that encourage/require sharing of health information in some risky way? I associate most of the stuff about health insurance exchange more with the Meaningful Use program.
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Flash Poll