When security concerns among the general patient population are on the decline -- and they are, according to a recent Unisys Corp. security index -- the question arises: Are there fewer threats or better safety measures? The answer is both.
The survey, conducted annually by Lieberman Research Group on behalf of Unisys, which provides security products to various industries, offers a snapshot of the nation's sense of confidence in national, personal, internet and financial security. Halfway through 2013, this year's survey found 59% of Americans concerned about a patient data breach in healthcare organizations, with 31% pegging themselves as "somewhat" concerned and 29% as "very" concerned.
A lot of data theft occurs and personal information is exchanged, but it's not really making an impact down at a personal level.
vice president of enterprise security solutions, Unisys
That said, the overall security index for the first half of 2013 stands at 120 on a scale of zero to 300, which represents the lowest level of consumer concern the U.S. has seen since Unisys' inaugural survey in 2007, and is 23 points under the company's current global benchmark.
Steve Vinsik, vice president of enterprise security solutions for Unisys, said a high population of concern for data breaches and a lowered level of concern for overall security likely means Americans understand the pervasiveness of online security threats; they're just not experiencing the effects of them.
"Over the last year or two, there's been a tremendous amount of media attention paid to cybersecurity in the government and private institutions. So there's a much more general understanding in the American population of what cybersecurity is and isn't," he said. "A lot of data theft occurs and personal information is exchanged, but it's not really making an impact down at a personal level."
Vinsik said that beyond individual impact, prevalence plays a sizeable role in determining what Americans perceive as viable threats. For example, this year, 29% of respondents said they're concerned about a widespread health epidemic in America, down 8% from last year, and 40% aren't concerned at all, up 7%.
"You think back a couple years, and you're dealing with the bird flu and strong flu seasons," he said. "There hasn't been that one big health issue this year. So you have to consider what's been in the news to raise concerns."
The healthcare industry deals with personally identifiable information, falls under strong regulatory bodies that audit compliance, and is in the midst of implementing electronic health records (EHRs). Those three factors, Vinsik said, influence the view among patients that providers are increasing emphasis on security. Despite the uptick of data breaches and theft, organizations are doing "some of the right things" to protect personal health information, he said, and that's why patients aren't being inconvenienced.
"They're protecting their patients' information," he said, "and when they do get hacked or experience a breach, that percentage of people seriously concerned about the protection of their data and the potential of a data breach translates into them being very concerned about who they do business with and how they conduct business online."
On the topic of breach reporting, the survey found Americans evenly split: 46% of respondents said private businesses should have to share cybersecurity attack information with the government, while 48% wanted to keep their data -- including breaches -- private. Under the updated HIPAA rules, all covered entities are required to report breaches affecting more than 500 individuals to the secretary of the U.S. Department of Health and Human Services.
Vinsik said healthcare leaders should consider the survey's findings as confirmation that consumers really are concerned about the safety of their information and make a point to implement tools that have security measures embedded into their large-scale solutions.
"From a business perspective, EHRs do the job," he said. "But what they aren't necessarily doing is providing that security. You have to think about security throughout the lifecycle, including continuous monitoring of that environment."