Many healthcare organizations allow employees to bring smart phones, tablets and other sophisticated data-gathering devices into their offices and to connect to their networks or enterprise systems, the third annual study on Patient Privacy and Data Security revealed today.

The authors wonder whether BOYD (bring your own device) is a security hazard that healthcare organization are simply not aware of.

The report, published by the Ponemon Institute and the Health Information Trust Alliance, revealed that the healthcare industry continues lagging behind most other sectors of the economy regarding stopping data breaches.

The 2012 report states that 94% of 80 healthcare organizations that took part in a survey admitted to at least one data breach during the previous 24 months; 45% said they knew about at least five data breaches, compared to 29% in the previous report.

Over half of all the organizations surveyed said that they had at least one incident of medical identity theft. Only 18% said they were sure the theft was the result of a data breach – 32% said they were unsure.

Over half of all the health organizations said they had little or no confidence in their ability to detect breaches. Just 40% said they can confidently prevent or rapidly detect all patient data loss or theft.

Data breaches have cost US health organization $6.78 billion every year.

BOYD does help productivity, time and motion experts have shown. Technologies today which promise greater productivity and convenience include mobile devices, file-sharing apps and cloud-based services – all very hard to secure. There is the risk that somebody in the company may take some of the data somewhere else, including confidential patient information, where it could end up in the wrong hands.

The authors wrote:

“Another worry presented in this research is that sophisticated and stealthy attacks by criminals have been steadily increasing since 2010.

The price tag for dealing with these breaches can be staggering. While the cost can range from $10,000 to more than $1 million, we calculate that the average cost for the organizations represented in this benchmark study is $2.4 million over a two-year period. This is up slightly from $2.2 million in 2011 and $2.1 million in 2010.”

In 46% of data breaches, the employee’s computing device was either lost or stolen, which the authors attribute to carelessness.

In 42% of cases, the breach was caused by employee mistakes or unintentional actions.

Third party SNAFUS is also a relatively common cause of data breaches.

The number of targeted criminal attacks on healthcare organization databases has also increased.

The authors explained that when they asked healthcare organizations how confident they were that the devices their employees bring into the office and take home are secure, the most typical answer was that they were not confident at all.

Among healthcare organizations that were covered in this report are:

  • Hospitals/clinics that are part of a network – 46%
  • Integrated delivery systems – 36%
  • Standalone hospitals/clinics – 18%

The researchers carried out 324 interviews – interviewees included those who work in administration, security, privacy, compliance, clinical matters, and finance.

The authors say that they should:

  • Carry out a privacy risk assessment
  • Identify organizational gaps
  • Create a policy which includes detailed guidelines on all mobile devices for all contractors and employees.
  • When they create the policy, it should address the security risks and explain clearly which procedures must be followed
  • The healthcare organization’s mobile device policy should educate employees on why their mobile devices should be secure and safeguarded, as well as what risky behaviors to avoid

Experts believe the number of data breaches is several times more than currently being reported, simply because most healthcare organizations do not have the means to detect them.

Of more concern is the low priority many leaders give to data breaches, the Ponemon Institute said. When compared to other sectors of the economy, such as banking, healthcare seems relatively unconcerned.

Medical devices, such as insulin pumps, mammogram imaging machines and wireless heart pumps have loads of sensitive patient data – most of them are connected wirelessly to commercial PCs and are vulnerable to cyber attacks. Most healthcare organizations do not secure their medical devices. The authors think that this is because organizations believe it is the responsibility of the medical device vendor to protect the products, and not theirs.

Written by Christian Nordqvist