The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, sponsored by ID Experts® was released today. Their findings are what we would expect, i.e., fairly discouraging, with entities reporting even more multiple breaches than previously. From their executive summary:
… healthcare organizations face an uphill battle in their efforts to stop data breaches. Ninety-four percent of healthcare organizations surveyed suffered at least one data breach; 45 percent of organizations experienced more than five data breaches during the past two years. Data breaches are an ongoing operational risk that could be costing the U.S. healthcare industry an average of $7 billion annually. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices—such as mammogram imaging and insulin pumps—which hold patients’ protected health information (PHI). Overall, the research indicates that patients and their PHI are at increased risk for medical identity theft. Risks to patient privacy are expected to increase, as mobile and cloud technology become pervasive.
For the 80 organizations that participated in the survey, the results indicated that the top three causes for a data breach were lost or stolen computing devices, employee mistakes and third-party snafus:
Insider negligence continues to be at the root of the data breach. The primary cause of breaches in this study is a lost or stolen computing device (46 percent), which can be attributed in many cases to employee carelessness. This is followed by employee mistakes or unintentional actions (42 percent), and third-party snafus (42 percent). A major challenge for IT security is the increase in criminal attacks, which has seen an increase from 20 percent in 2010 to 33 percent this year.
Malicious insider breaches, which have been an increasing concern of mine, accounted for 14% of the breaches, a number that is comparable to their figures for 2011 and 2010 but is significantly lower than the 23% figure reported by HITRUST based on analysis of breaches in HHS’s breach tool for the past few years.
I really need to find some time to sit down with multiple reports and studies and see where they agree and where they don’t.