Survey: Healthcare Security Breaches Decrease Despite Varied Threats

Thirty-eight percent of healthcare organizations have had more than five data breaches over the past year, a decrease from the 45% that reported as many last year, according to a new study from Ponemon Institute LLC. The firm's "Fourth Annual Benchmark Study on Patient Privacy & Security" was released this month based on surveys received from 91 healthcare organizations. 

One possible reason for the decrease is that organizations are reporting that the number of records lost or stolen with each data breach has decreased to an average of 2,150 in 2013, compared with nearly 3,000 in 2012.  Further, more organizations (58%) are reporting that the data breach was discovered by a routine audit, or from an employee detection (46%), than in past years, which also could contribute to the decrease in the costs they would have to incur if they were discovered by patients, legal entities or law enforcement.

Despite such progress, however, healthcare organizations in this year's survey still are being bombarded with new factors that can contribute to patient data breaches. For example, 69% of respondents said the Affordable Care Act significantly increases or increases risk to patient privacy and security. These organizations are concerned that exchange of patient data between providers and government entities, patient data used in registration or stored on databases -- as required by the ACA – could contribute to data breaches.

Healthcare organizations participating in this year's survey also reported that other threats to patient privacy and security could come from their increased use of cloud computing services. Only one-third said they were very confident or confident that information in a public cloud environment is secure, despite 40% saying they use the cloud heavily.

Further, criminal attacks on healthcare data have increased 100% since Ponemon began the survey four years ago. The top causes of these types of breaches is lost or stolen computing devices (49%), an unintentional employee action (46%) or a third-party mistake (41%) – all of which could have been prevented from the inside.

But healthcare organizations also appear to be taking matters into their own hands. For example, 55% reported that they have the policies and procedures that effectively prevent or quickly detect unauthorized patient data access, loss or theft. And 46% say they have personnel who are knowledgeable about HITECH and states' data breach notification laws.

Further, despite increasingly letting employees bring their own device to use on the job, 56% of healthcare organizations reported that they are limiting access to critical systems on these devices, including those with patient data, or requiring users to read and sign an acceptable use policy for their devices (53%). Forty-four percent are limiting or restricting the downloading of patient data on these devices, according to the study.