26 Percent of Healthcare Organizations Have Suffered a Data Breach

According to a recent Harris Poll survey conducted on behalf of Vormetric, 26% of healthcare organizations have suffered a data breach. With the volume of data breaches now being reported, it is highly probably that this figure will rise significantly over the course of the next 12 months.

The survey asked questions of 818 IT decision makers – including 102 from the healthcare sector – relating to data breaches, threats and actions taken to prevent cyber attacks. Over half of the respondents (54%) said that achieving full HIPAA-compliance status had been the main reason why Protected Health Information has now been safeguarded; indicating that HIPAA is proving to be effective in this regard. 68% of respondents said that HIPAA has been “very or extremely effective at stopping insider threats and data breaches.”

While PHI protection has improved there is still a long way to go. The survey indicated that over a quarter (26%) of healthcare providers had suffered at least one data breach. In spite of the efforts made by many healthcare providers to become HIPAA-compliant, 48% of the survey’s participants reported that they had either suffered a data breach or had failed a HIPAA compliance audit.

In a report in eWEEK, the CEO of Vormetric, Alan Kessler, said that it is difficult for patients to gain an accurate picture of the extent to which healthcare providers are protecting healthcare data. He also pointed out that it is worth while conducting a little research before choosing a healthcare provider. He said “with some research they [patients] can arm themselves with information to help them evaluate the organization, and ask intelligent questions before making a decision.”

Interestingly, the survey indicates there has been a shift of focus of healthcare IT professionals in recent months and that the emphasis – and budgets – has moved from HIPAA compliance to the prevention of data breaches. Stopping hackers has now become the top priority. The survey indicates that 53% of healthcare providers have made data breach prevention their main focus, with HIPAA compliance second; accounting for 39% of healthcare IT budgets. 63% of organizations have reported that they will be increasing their IT security budget over the coming months in an attempt to prevent data breaches, and avoid the substantial cost that they carry.

While efforts are clearly being now directed at servers and firewalls to prevent attacks from hackers, it is important for healthcare organizations not to forget the threat that exists from within. The survey indicated that healthcare IT professionals are extremely worried about insider access, with 92% of respondents claiming that their organization was somewhat or more vulnerable to insider breaches than attacks from outside the organization. Just under half of respondents (49%) said that they were “extremely vulnerable” to employee snooping and internal data theft.

Unsurprising maybe, but the survey also confirmed that it is authorized users that pose the biggest risk, with 62% of respondents stating that identified privileged users represent the most dangerous inside threat. This suggests that while defenses against hackers have been increased, there are security systems in place to check for inappropriate access of PHI by the staff.

Kessler pointed out that over the coming months there is likely to be a considerable amount of money spent on securing healthcare providers’ defenses. He said “Frankly, we think we’ll see more health care organizations reset priorities as more breaches lead to financial and legal headaches. Sometimes, lessons need to be learned the hard way.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.