A lack of proven security in the health insurance marketplaces is a key threat to patient information, according to a new report from the Ponemon Institute, which also lists criminal attacks, employee negligence, unsecured mobile devices and business associates among the top security and privacy issues health organizations face.
Though the number and size of data breaches have declined somewhat, criminal attacks on healthcare systems have risen 100 percent since its 2010 study.
"The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality," said Larry Ponemon, the organization's chairman and founder, in an announcement.
Data breaches cost healthcare organizations $5.6 billion annually, a slight decline from previous years, indicating that some progress is being made. However, 90 percent of respondents had at least one data breach during the past two years and 38 percent have had more than five. That's down from the 45 percent last year who reported more than five incidents.
The study involved interviews with more than 500 healthcare executives, primarily from hospitals.
The average economic impact of data breaches over the past two years for the healthcare organizations was $2 million, a 17 percent decrease from last year's report.
- 69 percent of respondents believe the Affordable Care Act has increased risk to patient data. They cite concerns about insecure exchanges between healthcare providers and government (75 percent), insecure databases (65 percent), and insecure websites for patient registration (63 percent).
- 75 percent cite employee negligence as their biggest security worry, lead by concerns about the BYOD trend. More than half of organizations are not confident that the personally owned mobile devices are secure, yet 38 percent don't take steps to secure them.
- 73 percent of healthcare organizations don't fully trust their business associates' security practices. Only 30 percent are confident that their business associates fully comply with HIPAA.
With the U.S. Department of Health & Human Services Office for Civil Rights beginning its HIPAA audit program in April, attorney David Holtzman, the OCR's former senior adviser, recently stressed the importance of encryption on end-user devices.
The Office of the National Coordinator for Health IT will soon be releasing a security risk assessment tool to help providers with documentation required in the security risk assessment process.