Hospitals are increasingly at risk of data breaches
According to a Ponemon Study, nine out of ten hospitals in the U.S. have suffered a data breach or intrusion in their networks over the past two years exposing their patients’ personal data. In one incident alone, a stolen laptop in Massachusetts resulted in exposing the names, Social Security numbers, addresses and diagnoses of more than 100,000 patients. These breaches can not only tarnish the reputation of the hospital, they can also result in heavy fines. Brighton and Sussex University Hospitals was given the largest ever data breach penalty last year, of £325k, after its patient confidential data was sold on eBay. Data breaches are ongoing operational and security risks that could be costing the U.S. healthcare industry an average of $7 billion annually, as stated in the Ponemon findings.
Most of this data loss is due to devices such as laptops and USB sticks being stolen or lost. Data breaches, however, can also be a result of unclear or unenforced security policies for sharing patients’ confidential information. More than 3,000 patients at Oregon Health and Science University had their health information compromised after residents and physicians-in-training in three departments used Google cloud services to share patient data. According to officials, the university doesn’t have a contractual agreement to use the cloud-based ISP, but residents and physicians-in-training were using the service anyway to share patient information ages, provider names, diagnoses, in some cases, addresses. Apparently this practice is fairly common. In the Ponemon survey, 91% of hospitals surveyed are using cloud-based services, yet 47% lack confidence in the ability to keep data secure in the cloud.
The use of cloud based services is often ”hidden” from the hospital IT managers when health care workers use cloud services using their own personal mobile devices. According to the Ponemon study, 81% of hospitals permit employees and medical staff to use their own mobile devices, such as smartphones or tablets to connect to their organizations’ networks or enterprise systems. However, 54% of respondents say they are not confident that these personally owned mobile devices are secure.
Previously focused on maintaining physical access to patient records with key cards, medical IT managers are now becoming aware that the process of sharing patient data also needs to be protected. The risk will continue to rise now that more and more medical records are digitized; employees are working from home, hotels and Internet cafes, and are storing files using public cloud services.
If hospitals approach patient information in the same way that banks approach personal data for online banking, many of the risks can be minimized. Maintaining security policies that grant individual authorizations and assign security levels to each patient file, while having sensitive data encrypted at all times, can bring control to managing hospital information. If the process of loading documents on the cloud is policed and authorizations are enforced automatically using proper security systems, highly sensitive data would never be exposed. Likewise, if file sharing policies were enforced, sensitive patient data would be encrypted resulting in no data loss if the devices were stolen.
Many of these secured data sharing practices already exist in the banking and insurance industries and can be easily adopted to the healthcare industry. Now, the pressure is on hospitals to make data security part of their everyday business. Even medical professionals are going mobile and using cloud services, but it is important that they make sure they keep sensitive data secure, or they risk paying a heavy price.