The good news about healthcare data breaches? They're going down in frequency and they are costing slightly less to address, despite risks accelerating because of bring your own device deployments throughout U.S. healthcare.
2014 data breach survey, by the numbers
- 91 healthcare organizations were represented in the final sample.
- In the 2011 survey, 42% of respondents were "confident" or "very confident" their organization could detect all patient data lost. This year, that rose to 53%.
- Organizations indicating "little or no confidence" in detecting lost data in 2011: 58%; in 2014: 47%.
- "Unintentional employee action" accounted for 41% to 46% of breaches, remaining steady 2011 to 2014.
- "Criminal attacks," however, doubled from accounting for 20% of breaches in the 2011 survey to 40% this year.
- In the 2014 survey, tablets accounted for 27% of healthcare data breaches caused by stolen devices. That's up from 7% in the 2012 survey, the first year they appeared.
- In contrast, stolen thumb drives accounted for 16% of device thefts in 2012, but are down to 11% this year.
- Almost three quarters of respondents said the economic impact of data breaches in the last two years, per incident, started at $200,000 and went into the seven figures.
SOURCE: Ponemon Institute's "Fourth Annual Benchmark Study on Patient Privacy & Data Security," March 2014.
The bad news? Providers haven't come close to containing them via technology controls and policy enforcement, and their IT leaders believe new risks on the horizon threaten to cause more patient data leaks.
They have good reason to fear risks from outside their organizations. As employee mistakes decrease, hackers are mobilizing.
"A very interesting trend is that a root cause of data breaches back in 2010 was criminal activity -- malicious insiders, cyberattacks, etc. -- was 20%, but it [has] doubled and is 40% this year," said Larry Ponemon, chairman of Ponemon Institute LLC and author of the Fourth Annual Benchmark Study on Patient Privacy & Data Security, independent research sponsored by ID Experts.
HIPAA is helping
The more detailed HIPAA omnibus rule, released last year, has helped raise awareness of the potential for data breaches for healthcare organizations, as well as potential hot water they can get into when patient data is left unguarded. Those two factors, Ponemon said, account for the positive news.
One of the reasons the costs are going down is likely because healthcare organizations are reporting smaller data breaches, a sign that they are moving toward better security. Still, 90% of the 91 organizations responding to the annual survey reported experiencing at least one data breach over the last 24 months and a whopping 38% said they had five or more, leaving lots of work to be done shoring up patient data privacy and security.
Another reason data breach stats have improved this year over previous years, said ID Experts President Rick Kam, is that many healthcare providers are purchasing data breach "cyber-liability" coverage. Those policies typically include the insurer dispatching an outside expert to step in as a "breach coach" to help manage an organization's response.
"Organizations are getting better at data management," Kam said, "and then they have an expert to help them manage breach response and contain costs."
ACA and data risks: Myths vs. reality
Seventy percent of respondents indicated they believe the Affordable Care Act (ACA) has introduced unproven security into the health data ecosystem, which they also believe could harm patients. Kam said there is some legitimacy to those fears, as both the ACA and HITECH rushed the adoption of state health information exchanges and health insurance exchanges, both new and very large information systems.
Ponemon, who testified before Congress on ACA-induced data security pitfalls, also said the potential of compromised patient passwords giving data thieves access to both types of exchanges is also a new risk. Furthermore, more governmental agencies, such as the IRS, being involved in processing health insurance subsidy payments also opens up risk.
But that perception might be exaggerated in the way many arguments are overblown in the present polarized political climate. "There's the perception, and then there's the reality," Ponemon said. "The Affordable Care Act has generated a lot of negative perceptions, and even if you're a neutral person just turning on CNN or Fox News or whatever, you just get bombarded with stories. In reality, it does create opportunities for more data leakage because data sharing between parties is fundamental to the ACA. For legitimate reasons, by the way, it's not necessarily a bad thing to share -- it can be helpful to the patient."