Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

New Research Shows Increase in Medical Identity Theft


New Research Shows Increase in Medical Identity Theft

New Research Shows Increase in Medical Identity Theft

The Ponemon Institute, a research center dedicated to privacy, data protection and information security policy, in December released its third annual study on patient privacy and data security when it comes to healthcare organizations.  The reports shows that while healthcare organizations have made progress in protecting patient information, the frequency, costs, and impacts of data breaches and medical identity theft continue to rise.

According to the Ponemon study, 94% of hospitals surveyed report at least one data breach during the past two years, and nearly half (45 percent) suffered more than five breaches during the same period. More than half of hospitals reported cases of medical identity theft affecting their patients. In fact, since 2009, healthcare data breaches have affected over 21 million Americans since 2009 according to the Health and Human Services website.

The average financial impact of a data breach is now $1.2 million, up from $1 million in 2010. Estimates from the Ponemon Institute indicate the that the cost of data breaches to the U.S. healthcare industry has risen to almost $7 billion annually, and the cost of medical identity theft is now over $41 billion, up from around $31 billion just a year ago.

Furthermore, while medical data privacy programs have improved, they are not yet overtaking the threats to data and privacy security. People practices continue to be a weak link in medical data privacy: Organizations in the Ponemon study report that lost or stolen computing devices are still a major cause of data breach (46 percent), followed by mistakes by employees or third party vendors (42 percent each), with criminal attacks trailing at 33 percent. At the same time, technology trends, including mobile computing, “bring your own device” (BYOD) programs, and cloud computing, are introducing new areas of vulnerability.

In short, the study reveals the following:

Respondents acknowledge the harms to patients if their records are lost or stolen. The types of patient data lost or stolen most often are medical files and billing and insurance records. Seventy percent of respondents say there is an increased risk that personal health facts will be disclosed if the records are stolen or lost. This is followed by the risk of financial identity theft and medical identity theft (61 percent and 59 percent, respectively).

Medical identity theft occurs and can affect patient treatment. Fifty-two percent of organizations report that their healthcare organizations had one or more incidents of medical identity theft. While only 18 percent say the theft was a result of a data breach, 32 percent are unsure. This uncertainty is due in part to the finding that only one-third say they have sufficient controls in place to detect medical identity theft.

Trends in mobility and employee owned devices put patient data at risk. Eighty-one percent of organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their networks or enterprise systems such as email. On average, 51 percent of employees are bringing their own devices to the healthcare facility.

Unsecured medical devices are vulnerable to hackers. Medical devices containing sensitive patient information such as wireless heart pumps, mammogram imaging and insulin pumps often use commercial PCs and have wireless connections that make them vulnerable to cyber attacks. According to the healthcare organizations in this study, 69 percent of organizations do not secure medical devices. This finding may reflect the possibility that they believe it is the responsibility of the vendor—not the healthcare provider–to protect these devices.

Healthcare organizations embrace the cloud. Sixty-two percent of organizations make moderate or heavy use of cloud services. Only 9 percent do not use cloud services. However, 47 percent are not confident that information in the cloud is secure and 23 percent are only somewhat confident.

Confidence in the ability to prevent and detect a data breach improves but still has far to go. In 2010, only 31 percent of organizations said they had confidence in preventing and detecting all patient data loss or theft in their organization. This percentage has been steadily climbing and it is now at 40 percent. What has improved is that organizations are relying less on an “ad hoc” process and more on policies and procedures and a combination of manual procedures and security technologies.

Compliance encourages improvements in privacy and data security. Thirty-six percent of respondents strongly agree and agree that recent Office of Civil Rights (OCR) HHS HIPPA/HITECH audits and fines have affected changes in their organization’s patient data privacy and security programs. Sixty-eight percent of organizations conduct and document post data breach incident risk assessments as mandated by the HITECH Act, an increase from 61 percent last year.

Steps to Implement

Experts recommend several immediate steps to improve data privacy in healthcare organizations:

  1. Operationalize pre-breach and post-breach processes. Involve stakeholders in creating incident assessment and incident response processes, train all relevant staff in these procedures, and conduct regular readiness tests to monitor the effectiveness of the processes.
  2. Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security.
  3. Conduct annual assessments of combined privacy and security compliance.
  4. Update policies and procedures to include mobile devices and cloud computing services.
  5. Evaluate the Incident Response Plan (IRP) regularly to be sure it covers business associates and partners, cyber insurance, and other changing privacy-related aspects of the business.

Axis Insurance Services provides cyber liability (privacy) for all types of companies, and can review with you what is needed to accurately protect your firm. Give us a call at: (877) 787-5258.

Source: Ponemon Institute

Comments

comments

Blogged on: January 10, 2013 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions