Ponemon Study Finds System-Wide Data Breach Problems in Healthcare Industry
The Ponemon Institute recently released its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, which was sponsored by ID Experts. In it are numerous sobering findings that paint a bleak picture about the current state of the security of healthcare-related data.
The study covered of 91 ‘covered entities’ (CE) healthcare organizations, along with 84 business associates (BA), which handle sensitive patient data while performing services for the CEs. This is the second straight year that BAs were included in the study, which Ponemon feels gives a more accurate results when evaluating data security in the entire healthcare industry.
The average cost of a data breach to a CE is over $2.2 million; about $1 million for BAs. Although criminal attacks are the leading cause of data breaches in the industry, BAs and CEs are not increasing their budgets for security, although about one-third are buying data breach insurance. Both BAs and CEs rely heavily on policies and procedures to prevent and detect breaches.
These findings are disconcerting, to say the least. It is obvious that the industry recognizes how vulnerable it is to cyberattacks. The problem is that most of the efforts of CEs and BAs seem to go towards dealing with the aftermath of a breach, rather than preventing one in the first place.
Just as auto insurance doesn’t make a ‘lead foot’ drive more safely, data breach insurance doesn’t make a company better at protecting data. It only ensures that they can cover the costs of litigation. The preventive measures that security policies and procedures have to offer are ineffective against many attacks.
The bad news for patients is that they pretty much have no alternatives. At least with the Target data breach from December 2013, customers could take their business elsewhere. This tactic doesn’t work with healthcare. The ACA requires that all U.S. citizens buy healthcare coverage, and there are few good options in an industry with systemic data security issues.
Although the study is an indirect marketing tool for ID Experts, it would be difficult to argue against the idea of considering the services they have to offer, especially for healthcare data.
One solution the company offers is its Medical Identity Alert System or MIDAS, which functions much like the consumer protection service Lifelock. Members receive text or email alerts when a claim is made in their name. These claims can be reviewed by the member and flagged as suspicious if potentially fraudulent.
In a purely technical sense, it may not be possible to detect a data breach until it occurs, but with a tool like MIDAS, there is at least a way to stop the damage early. Hopefully the healthcare industry realizes sooner than later that policies and procedures alone don’t cut it and become more open to technology that allows quicker responses to breaches.
Edited by Peter Bernstein