HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Reveals How Well Consumers Feel Health Data is Protected

The results of a study on healthcare cybersecurity from the perspective of consumers has recently been published by cybersecurity firm Morphisec. More than 1,000 consumers were surveyed to obtain their opinions on healthcare cybersecurity, the healthcare threat landscape, how their personal health information is being targeted, and how well they feel their health information is protected.

The transition from paper records to electronic health records has improved efficiency and allows health information to be shared more easily, but vulnerabilities have been introduced that can be exploited by hackers.

Morphisec notes that cyberattacks on the healthcare industry occur at more than double the rate of attacks on other industry sectors. The volume of attacks and frequency that they are reported in the media undoubtedly affects how secure consumers believe their health records are.

Since 2009, more than 190 million healthcare records have been exposed or stolen, which is equivalent to 59% of the population of the United States, yet when consumers were asked if their providers have experienced a data breach, 54% did not know. 40% said no breach had occurred to their knowledge and only 6% said one of their providers has been affected. HIPAA requires notifications to be sent to consumers when their health records are exposed, but it would appear that many consumers feel they are not informed about data breaches.

Please see the HIPAA Journal Privacy Policy

Consumers Concerned About Privacy and Security of Health Data

When asked who is responsible for protecting health data, 51% of consumers felt it was a joint responsibly between consumers and their providers. Only 29% felt that it was the sole responsibility of their provider to keep health data private and confidential. Only 8% of consumers felt that it was their own responsibility to keep health that has been exchanged with them to be kept private.

As more and more healthcare providers give patients access to their health information through patient portals, and consumers are encouraged to obtain copies of their health data, it is not surprising that so many consumers feel the responsibility for protecting health data is shared. The use of patient portals has increased from 28% to 42% in the past 12 months – an increase of 14%.

55% of consumers feel their health data is more secure when stored by providers. 45% believe that health information stored on personal electronic devices is more secure than data held by their providers. It is unclear whether consumers do not trust their providers to secure data, whether they think a cyberattack on a provider is more likely than an attack on them personally, or if they feel that there is little difference between their own security defenses and those of their providers.

What is clear is consumers believe there are many weak links that need to be addressed, in particular web browser defenses, which almost a quarter of respondents (24.1%) felt was the weakest link in security. A fifth of respondents felt the weak point was endpoint defenses (21%), email phishing defenses (20.9%) or patient portal defenses (20.1%). Only 13.8% felt medical device security was the weakest link.

Healthcare Organizations Only Achieving a Baseline Level of Security

HIPAA requires healthcare organizations to implement security measures to keep protected health information private and confidential. Heavy fines can be issued if a data breach is experienced and providers are discovered to have failed to implement appropriate defenses. HIPAA has certainly helped to improve the standard of security across the healthcare industry as a whole, but many providers have only implemented security defenses to ensure compliance with HIPAA. Once the minimum standard of security has been achieved, the checkbox is ticked, and little is done to further reduce risk.

Through compliance, risk can be reduced, but HIPAA compliance does not mean cyberattacks will not succeed nor that attacks have been made difficult for hackers.

“With nearly 90% of health organization CIOs indicating they purchase cybersecurity software to comply with HIPAA, rather than to reduce threat risk, consumers have a right to be worried about the cyber defenses protecting their health data,” said Tom Bain, VP of Security Strategy at Morphisec. “Merely checking the box that cybersecurity defenses meet HIPAA requirements isn’t enough to protect healthcare organizations today from advanced and zero-day attacks from FIN6 and other sophisticated attackers.”

That sentiment has been echoed by many industry professionals who believe that the threat of financial penalties is stopping healthcare organizations from improving their defenses further. Many just achieve the minimum level of security to comply with HIPAA.

Several stakeholders have suggested a safe harbor should be established for healthcare providers who meet HIPAA security standards to ensure they are immune from financial penalties. With the threat of financial penalties gone, it is felt that healthcare organizations would be more likely to invest more heavily in cybersecurity defenses.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.