4th Annual Ponemon Benchmark Study – Reveals New Problems for PHI Security

 

Same as it ever was? You’d be forgiven for thinking that after reading the Fourth Annual Benchmark Study on Patient Privacy & Data Security Report (the “Study”).  Conducted by the Ponemon Institute and sponsored by our friends at ID Experts, the picture has not improved for security and privacy of U.S. patient “protected health information” (“PHI”) since Ponemon’s first annual study in 2010.  What are the lessons and takeaways from this year’s Study?

First, some good news.

• The total number of data breaches involving PHI have decreased “slightly”
  • Before you pop the champagne, this tidbit is tempered by the news that 90% of healthcare organizations (“HCO’s”) in the Study reported they had at least one data breach in the past two years, with 38% reporting “more than five incidents.”
  • The good news comes about in comparison with last year’s 2013 report where 45% of organizations reported more than five incidents. (And an “incident” can be anything from a major news-making data breach to a small data loss.)
• Ability to control data breach costs has improved
  • Giving credence to the old maxim that “practice makes perfect” organizations and professionals involved with data breach responses have, by and large, honed response frameworks after repeat experiences.  As a result the Study reveals that the average data breach cost for healthcare organizations has decreased 17% to $2.0 million.  That’s still a significant seven digit number, however.

That’s the good news.

The bad news continues apace, unfortunately.  However, it’s important to keep in mind the Study’s methodology limitations, detailed on page 24, which acknowledge clearly that the Study results “may be biased in two important respects,” namely being skewed to larger-sized HCO’s and the individuals contacted were centered in data protection, infosec and privacy positions.

Added to this is that the Study sample size is relatively small – 91 organizations – and that the Study relies on self reporting, leads to the mindful caveat that “those organizations that chose not to participate [may be][] substantially different in terms of data protection and compliance activities.” Words of wisdom.

Nevertheless, with these limitations in mind, the Study’s negative findings are sobering and include:

• The Patient Protection and Affordable Care Act (“ACA” a/k/a “Obamacare”) has many 69% of HCO’s believing it either “significantly increases” or “increases” risk to patient privacy and security due to insecure exchanges and the increased need for patient information sharing that the ACA mandates.
• Criminal attacks on HCI’s have increased 100% since 2010.  Read that again.  100%.  While insider “negligence” is attributed as the root cause of a majority of data breaches reported by the Study (and “negligence” comes in many forms) the continued need to fend off increasing numbers of criminal attempts and attacks on digital infrastructure is a thankless but constant battle.
• Employees.  One IT security wag quipped to me at a recent security gathering that “my security would be nearly 100% if I could just get rid of all our employees.”  While wishful thinking by many IT/infosec pros, but the fact remains that HCO’s above all else worry about employee negligence.  While negligence is a legal term of art, encompassing the most important civil tort, in common parlance negligence often tends to equate with “mistakes” – as in, “oops I left my laptop in the car and it was stolen.”
  • As long as human nature remains with it is “negligence” will never be eliminated.  But it can be minimized with regular training and a company culture that via osmosis ultimately pervades from the C-suite to the loading dock.
• BYOD. No, BYOD doesn’t actually mean “Bring Your Own Data Breach.” But it could, given that close on the heels of HCO’s concerns about Employees’ negligence is the Study’s revelation that 88% of HCO’s permit employees and medical staff to use their own mobile devices to connect to HCO assets and email.  The Bring Your Own Device trend is effectively unstoppable – unless you run your organization with the fervor of a Spartan encampment.  But that shouldn’t mean BYOD is a license to run riot with company information or PHI.  Have you created an effective, workable and security-conscious BYOD program?  If not, why not?
• Clouds gathering.  Another Study data point is that cloud services are increasingly being heavily used by HCOs, but that only 1/3 of HCOs are very confident or confident that their cloud stored data is secure.  That’s appalling.  If you don’t have confidence that your data, particularly PHI, is reasonably secured in a given cloud installation you shouldn’t be using that service.  We’ve helped numerous clients negotiate and navigate data security schedule for cloud usage – and every case is different potentially.  But here at the Sm@rtEdgeLaw Group we utilize cloud services extensively – but always with an eye towards security and applicable state bar Ethic Opinions addressing use of cloud services. (With the Connecticut Bar Association most recently issuing an informal ethics Opinion, No. 2013-07, on use of cloud service by attorneys.)
• Trust. But Verify.  How’s this for a statistic?  73% of HCO’s in the Study don’t trust their third party vendors or Business Associates (a HIPAA term of art) with sensitive patient information.  On the one hand that’s an admirable skepticism.  On the other hand it speaks volumes about the vetting, due diligence, contracting and auditing involved with partnering with third parties and Business Associates. The BA’s generating most angst are IT service providers (!), claims processors and benefits management parties.
• Paper Policies.  While 55% of HCO rely on “policies and procedures” to prevent or detect unauthorized patient data access or theft less than 46% of HCO’s have personnel in place who are knowledgeable about HIPAA/HITECH requirements and applicable state data breach notification laws.  And this is likely a large factor in why the Study further reveals that only ~24% of HCOs are in compliance with required reporting on disclosures.

The Bottomline Takeaway

The “and that’s what we’ve learned” takeaway from the Study is simple: most HCOs (as well as other organizations) aren’t adequately prepared or confident that they’re secure.  And that employees remain the lynchpin of maintaining data and other security.

In turn that should mean that security programs focus on upping the security quotient and knowledge of all employees, whether that takes the form of retaining counsel like the Sm@rtEdgeLaw Group to review legal compliance, procedures and employee training programs, or embarking on a concerted inhouse program (that’s adequately funded) to put data and information security on the same level as business development.

Either way there’s a stiff challenge facing HCOs and others handling PII/PHI since we naturally focus on increasing business coming in the door rather than on what might make clients run for the door, like a serious data breach.

To discuss the Study, your own data security programs or simply what we might be able to help you with in managing risk and increasing security, feel free to call or contact us at 203 307-2665203 307-2665 or info@SmartEdgeLawGroup.com or view the contact form below.

[contact-form][contact-field label=’Name’ type=’name’ required=’1’/][contact-field label=’Email’ type=’email’ required=’1’/][contact-field label=’Comment’ type=’textarea’/][/contact-form]