Earlier this month, Lisa Vaas published an article on the Naked Security web site on the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security funded by ID Experts. Ms. Vaas did a good job of summarizing the most significant finding in the report, that of increase of data breaches over the past three years are due mainly to a lack of secure devices and staff negligence (see graph from report below).
I strongly suggest that you download and read this report. The Ponemon Institute always does a good job in these areas and if you are in healthcare, chances are you will see some trends similar to what happens in your organization in the report.
The takeaways here are that breaches are expensive, and it’s not just patient data. Just look at the numbers in the report.
In my opinion, the saddest statistic is that most of the breaches were discovered in an audit. One of the main reasons to conduct an audit is to demonstrate that these types of conditions do not exist. Employee discovery follows in second place. If an employee can discover it, an employee should be able to help prevent it.
Rather than try to scare you with FUD (Fear, Uncertainty and Doubt – see my blog post of January 3, 2013) – and there are plenty of items with which to scare you, I would like to see the community come together and share the ideas and practices that help protect data. We always work with our clients to ensure that they have an environment that is both compliant and secure but it takes everyone working together.
If you have seen a healthcare provider in the U.S. during the past six months, you probably noticed the additional type of paperwork needed and, in fact, the move away from paper. As healthcare related information transitions towards digitization, the opportunities for a breach increase unless we all take the necessary steps.
When you decide to host the data that you manage with a provider, demand that they secure the environment, demonstrate compliance and do it all with full transparency. Anything short of that, sells everyone short.
I will be attending HIMSS Conference in New Orleans on March 3-7 in order to help bring all of us to the right place with healthcare data. I hope to see you there!
About the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO, +Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.