BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Health care data breach fears are keeping more than a third of providers from joining their state health information exchanges, according to Ponemon Institute LLC's Third Annual Benchmark Study on Patient Privacy & Data Security. Researchers also found that the bring-your-own-device trend is rapidly expanding, despite health care organizations' inability to secure tablets and smartphones.
Of the 80 organizations -- comprising 457 individual participants -- in the study, only 28% are members in a state health information exchange (HIE) and another 17% are planning to join. But 35% indicated they would not be joining theirs. Why? Concerns about Health Information Portability and Accountability Act (HIPAA) mandates could be the reason: Some 66% indicated they are either "somewhat confident" or "not confident" about the privacy policies and security measures HIEs take to protect patient data.
That trend could be a case of perception vs. reality, said Ponemon Institute founder Larry Ponemon. Whether HIEs are secure, the many providers could be assuming they're not.
"I think it's kind of scuttlebutt -- but the general view is that a lot of these [HIE] systems are not built with security in mind, they're created to make information conveniently accessed," Ponemon said. "I think over time, as they mature, they will be much better accepted. ... I have no evidence, but I feel sometimes these things need to progress a little bit."
BYOD a potential HIPAA snafu
Rick Kampresident, ID Experts
Employees are using their own iPads, smartphones and other mobile devices in 81% of health care provider workplaces that participated in the study. Of those who use their own devices at work, half access what researchers termed "organizational data," which can include HIPAA-protected patient information. Yet about half (46%) of organizations indicated they are doing nothing to secure employee-owned mobile devices, and more (54%) indicated they have no confidence they are secure.
How significant is the risk of ignoring bring your own device (BYOD) in regards to data breaches? Growing fast, as more clinicians use iPads for electronic health record use, according to the Ponemon report. Last year, tablets represented 7% of lost or stolen devices, but this year, they represented 18%. Smartphone losses were up, but less dramatically than tablet losses, increasing from 21% to 24% of the lost or stolen devices for health care provider organizations.
Health care organizations' executive leaders don't budget enough for IT security or pay enough attention to shoring up data breach risks because they fail to see prevention as something they need to operationalize, said Rick Kam, president and co-founder of Portland, Ore.-based health IT security consultancy ID Experts, which sponsored the study.
"Many of them view a security or privacy breach as a once-in-a-lifetime, catastrophic event like a hurricane or tsunami," Kam said. "We're suggesting it's an everyday problem."
Other findings: Hackers more relevant -- barely
Participants in the Ponemon report shed light on other data breach trends, such as lost laptops comprising their primary cause about half (46%) the time. More revealing stats:
- Despite perceptions in the marketplace and consistent with federal HIPAA enforcement data, hackers as a cause of data breaches moved from a very small proportion in earlier reports to a slightly larger proportion in 2012. Paper records still account for a bigger source of data breaches than hackers.
- Some 45% of respondents said they had experienced five data breaches over the last two years -- obviously, not all of them big enough to be subject to reporting on the HHS wall of shame -- up from 29% two years ago. That's likely attributable to providers' sharpening their ability to detect breaches with more effective policies and security technologies, Ponemon said.
- More than one-third of data breaches (38%) affected 10 to 100 patients, but Kam pointed out that even if data breaches fall below public reporting thresholds in HIPAA breach notification rules, patients are filing more civil suits against hospitals even when smaller breaches occur, some of them of the class-action variety.
- Of those surveyed, 91% of providers use one form of cloud service or another, whether it be as simple as DropBox, or a much more complex data storage system. Of the cloud users, 26% use cloud services for patient data, 30% for billing data, and 46% for accounting or financial information. Another 47% lack confidence in cloud data security.
- The average number of lost or stolen records per breach among study participants was 2,769. Based on the average number of lost or stolen records in this study, married with previous Ponemon research on the cost of data breaches, a single "average" data breach would have an economic impact of about $537,186. Study participants, however, reported the average economic impact of their data breaches was more like $2.4 million.
It's still too early to determine from three years' worth of survey data whether health care data breaches are actually increasing, or if mere awareness of them is increasing and health care providers are finally grasping the scope of their problems. Another variable affecting the findings is, as more providers plug in and turn on new electronic health record systems, there are more opportunities for data breaches to occur. Yet another: The threat of HIPAA audits and enforcement actions is causing providers to take the risk of breaches more seriously, so they're looking harder.
Taken together, it's hard to ascertain the specific cause of an upward trend in data breach reports. On one hand, "there definitely are cases where organizations that have had data breaches are basically doing more and actually monitoring their environments for data breaches," Ponemon said. "It's not that data breach incidents have increased, but breach awareness has increased -- and therefore something that wasn't on anybody's radar screen suddenly is there because of internal processes."
On the other, he added: "That's a minority of organizations that have built that infrastructure ... my gut tells me that we only looked at the ones we knew about -- there are many data breaches that we actually stumbled on as researchers."
Read the full report here.