This page contains a Flash digital edition of a book.
Data Attacks on Healthcare Flying High WRITTEN BY ERIN MCCANN I


N the realm of privacy and security, heeding snooping employees and encrypting


portable devices isn’t enough in healthcare these days. Criminal attacks on hospitals are on a huge upward trend, with a whopping 100 percent reported increase just from four years ago. That’s according to a new Ponemon Institute study released today. This year, 40 percent of healthcare


organizations have reported a criminal data attack. And, business associates who are not yet compliant with HIPAA in addition to those employees given the green light to use their unsecured devices certainly are not helping these numbers, say Ponemon officials.


Fighting an Uphill Battle The news isn’t all bad, however.


Data breaches have actually slightly declined in recent years, but it’s still no number meriting celebration, as breaches continue to cost the industry a pretty penny, $5.6 billion annually to be exact. “It suggests healthcare


organizations are making modest progress on managing sensitive patient information,” said Larry Ponemon, chairman and founder, Ponemon Institute, in an interview with Healthcare IT News. “I want to underscore the word ‘modest.” Breaking it down by organization,


healthcare groups who experience a data breach can expect to pay out some $2 million over a two-year period. Moreover, an overwhelming 90 percent of survey respondents reported at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period, officials pointed out. “Employee negligence, such as a


lost laptop, continues to be at the root


of most data breaches in this study. However, the latest trend we are seeing is the uptick in criminal attacks on hospitals,” said Ponemon, in a March 12 press statement. “The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality.”


Keep Up with Evolving Threats Additional findings include some


75 percent of healthcare organizations cited employee negligence as the top security concern, as they increase exposure to sensitive data by the growing use of their personal unsecured devices. Bring your own device policies, officials say, also present new risks, as personal devices have become harder to manage, control, and secure. In fact, 88 percent of organizations permit employees and medical staff to use their own mobile devices to connect to their organization’s networks or enterprise systems such as email, with access to patient information. Similar to last year’s study, more than 50 percent of industry groups are not confident the personally owned mobile devices are secure. Yet, 38 percent of organizations fail to take steps ensuring these devices are secure. Report findings also underscore


healthcare groups’ growing distrust in their business associates relating to protecting patients’ health information. Some 73 percent of organizations are not confident or only slightly confident that their third parties are able to detect a security incident, perform an incident risk assessment, and notify them in the event of a data breach. According to those surveyed, the business associates who present the greatest risks to patient information are IT service


providers, claims processors, and benefits management.


Doing IT Right Despite the threats data breaches


pose, some organizations have worked diligently to better protect patient information, as report findings suggest data breach numbers are actually slightly down this year. John Halamka, MD, CIO of Beth


Israel Deaconess Medical Center in Boston, has been ahead of the game in the realm of data privacy and security for a long time now, implementing clear policies surrounding BYOD and device encryption. Part of his success came from


realizing at the end of the day “a CIO has limited authority but infinite accountability,” Halamka told Healthcare IT News. Then it’s a matter of asking, “How do you reduce risk to the point where government regulators and, more importantly, patients will say, ‘what you have done is reasonable.” Halamka, who oversees some


18,000 user accounts, 1,600 iPhones, and 600 iPads, spends some 20 percent of his day on risk, compliance, and governance. “Much of what I have to do is meet with my business owners and ask, ‘what are the risks?’ Reputational risks? Patient privacy breach risks? Data integrity risks? And then in a multi-year way put in risk mitigations,” he explained. “We’re never going to be perfect,” he added, “but we can put in place, what I call, a ‘multilayer defense.’


ABOUT THE AUTHOR Erin McCann is Associate Editor at Healthcare IT News. She covers healthcare privacy and security, meaningful use, ambulatory care, and healthcare policy.


10 CONNECTION/HEALTHCARE IT 2014.Q2


IMAGE ©KENTOH / FOTOLIA


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36