As millions of new patients enter the US healthcare system under the Affordable Care Act, patient records have become a smorgasbord for criminals. The Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute, sponsored by ID Experts, reveals new security and privacy threats to hospitals and the patient records they manage.
One of the key threats is the unproven security in the health insurance marketplaces, created as a result of the Affordable Care Act. According to the report, other top threats include: criminal attacks, employee negligence, unsecured mobile devices (smartphones, laptops, and tablets), and third parties—causing organizations to scramble.
Patient records are vulnerable to both insider and outsider threats because of the value of the information to criminals. These records contain personally identifiable information (PII) and protected health information (PHI). When combined, this information represents highly sensitive “regulated data,” which is tightly controlled by federal laws, including HIPAA and GLBA, as well as numerous state breach notification laws.
“Employee negligence, such as a lost laptop, continues to be at the root of most data breaches in this study. However, the latest trend we are seeing is the uptick in criminal attacks on hospitals, which have increased a staggering 100 percent since the first study four years ago,” said Dr Larry Ponemon, chairman and founder, Ponemon Institute. “The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality.”
Key findings of the research are that data breaches have declined slightly, though remain high; the Affordable Care Act increases risks to millions of patients and their information; negligent employees and unsecured devices in the workplace remain a big security threat; and healthcare organizations don’t trust their third parties (Business Associates) with sensitive patient information.
“It’s been a year since the HIPAA Final Rule was issued, and we have seen healthcare organizations make some good progress towards complying with federal privacy and security guidelines and better safeguarding patient information. However, because the threats and risks are shifting, organizations are in a constant state of catch up,” said Rick Kam, president and co-founder of ID Experts.
“It’s like a bucket filled with water, with holes in it. The water keeps spurting out, and every time you patch one hole, a new hole forms. The process of patching old and new holes is overwhelming, and this new data validates that issue.”
Affordable Care Act, Ponemon Institute, Security Threats, Privacy Threats
