DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Gaps In Hospital Security Policies Put Patient Data At Risk

Posted on April 8, 2008October 24, 2024 by Dissent

From Kroll’s press release:

Best practices in data security cannot be achieved by employee training alone. Organizations must make data security a part of their DNA, reflected in every aspect of business operations.

The healthcare industry’s focus on medical privacy and compliance has fostered a lack of awareness around the frequency, cause and seriousness of patient identity theft, according to the 2008 HIMSS Analytics Report: Security of Patient Data commissioned by Kroll Fraud Solutions, a leading provider of data protection and identity theft response services. The report reveals a significant blind spot that hinders hospital efforts to contain the problem and reduce risk.

“Healthcare facilities are complex environments where information is stored and shared in a number of ways that are critical to patient well-being,” said Brian Lapidus, chief operating officer of Kroll Fraud Solutions. “Until healthcare organizations expand their data security measures to address the threat of data compromise as well as privacy and compliance, patients will continue to be at risk.”

Key report findings include:
Regulatory loopholes in data management standards(1) allow data breaches to go unreported, preventing an accurate measurement of frequency.

  • Only 56 percent of breached organizations surveyed notified the patients involved.
  • On average, respondents ranked their familiarity level with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) at a 6.53 (on a scale of 1-7, with 7 being the highest) and nearly 75 percent claimed a familiarity level of 7.
  • The high level of HIPAA familiarity stems from the commencement of audits and the resulting penalties for non-compliant facilities. The issue: HIPAA compliance is an insufficient proxy for risk mitigation.

Security policies place a greater emphasis on preventing violation of privacy than preventing fraud and malicious intent.

  • Of those respondents who experienced a fraud-related breach, 62 percent identified the type of the breach as unauthorized use of information, while 32 percent cited wrongful access of paper records.
  • Noticeably absent were breaches attributed to malicious intent (i.e., stolen laptops/computers, deliberate acts by unscrupulous employees, and cyber attacks through the Internet).

Healthcare organizations lack appreciation for the costs of a breach.

  • Only 18 percent of breached organizations surveyed believed there was a negative financial impact, even though the average cost of a breach is estimated to be as high as $197 per compromised record and $6.3 million per incident.(2)

“The number one priority of U.S. healthcare institutions is saving the lives of those in need and rightly so, I might add,” said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). “But patient safety extends beyond clinical care. This data tells us that organizations must also broaden their data security and risk management measures to address the threat of patient data breach.” Among the 13 percent of respondents who revealed that their facility had experienced a data breach:

  • 48 percent indicated that “reprimanding the employee” is effective breach response, while 11 percent offer “education” as a solution.
  • 35 percent said that they did not change the organization’s security policy after the incident.
  • Identity theft is three times as likely to happen at a larger facility (more than 100 beds) than a smaller facility (under 100 beds).

The report also indicates that healthcare organizations are focusing their security programs on employee education with nearly all respondents reporting that their organizations educate employees about the importance of maintaining patient data security. Almost 50 percent cited reprimanding or terminating the employee as an element of their organizations’ breach response plan and 35 percent of breached organizations surveyed did not change their security policies after the incident.

“There’s a dangerous assumption in the healthcare industry that education leads to policy implementation and change,” said Mr. Lapidus of Kroll. “Best practices in data security cannot be achieved by employee training alone. Organizations must make data security a part of their DNA, reflected in every aspect of business operations.” Survey Methodology: A total of 263 healthcare industry professionals participated in this research conducted in January 2008. They included IT professionals (50 percent), Health Information Management (HIM) managers (21 percent) and chief security officers (12 percent), among others working in the area of information management. Most respondents were small to mid-sized healthcare facilities.

For a copy of the 2008 HIMSS Analytics Report: Security of Patient Data and for more information on best practices in healthcare data security, please visit: www.krollfraudsolutions.com.

(1) i.e., Health Insurance Portability and Accountability Act of 1996 (HIPAA), Sarbanes-Oxley Act of 2002 (SOX) and Payment Card Industry Data Security Standards (PCI)
(2) Source: Ponemon Institute’s 2007 Cost of a Data Breach Study

About Kroll
Kroll, the world’s leading risk consulting company, provides a broad range of investigative, intelligence, financial, security and technology services to help clients reduce risks, solve problems and capitalize on opportunities. Kroll Inc. is a wholly-owned subsidiary of Marsh & McLennan Companies, Inc. (NYSE: MMC), the global professional services firm. Kroll began providing identity theft solutions in 1999 and created its Fraud Solutions practice in 2002 in response to increasing requests from clients for counsel and services associated with the loss of sensitive personal information, and related identity protection and restoration issues facing organizations and individuals.

Since then, Kroll’s Fraud Solutions clients have included Fortune 500 companies, non-profit organizations, and government entities dealing with healthcare, financial services, insurance, consumer service, and any activity involving the collection and use of personal information. Kroll’s Fraud Solutions team presently serves over 10,000 businesses and millions of individual consumers. For more information, visit: www.krollfraudsolutions.com.

About HIMSS Analytics
HIMSS Analytics supports improved decision-making for healthcare organizations, and healthcare IT companies and consulting firms by delivering high quality data and analytical expertise. The company collects and analyzes healthcare organization data relating to IT processes and environments, products, IS department composition and costs, IS department management metrics, healthcare delivery trends and purchasing related decisions. HIMSS Analytics is a wholly-owned, not-for-profit subsidiary of the Healthcare Information and Management Systems Society (HIMSS).


Related:

  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • North Country Healthcare responds to Stormous's claims of a breach
  • Texas Enacts Electronic Health Record Data Localization Law
Category: Health Data

Post navigation

← Your medical history is a click away
New Player in Personal DNA Profiling Emphasizes Privacy →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.