In a recently released survey of 200 healthcare chief information officers, health information technology directors and other leaders, 8% said their data had been hacked in the last year, representing a small but notable threat to patient and hospital data security.
Loss or theft of sensitive patient medical records and hospital data makes headlines around the country, creating momentum around boosting security and data encryption, but there’s still a "long way to go," according to the report.
"Technology is changing all the time, [and we’re] getting different kinds of attacks that we need to protect against," according to San Diego-based Sharp Healthcare CIO Bill Spooner. "We have to continue to raise our game just in the same way that hackers are raising theirs."
The most common form of information breach was a fax or mailer that had been misdirected, representing 40% of all data security incidents, but "insider attacks" such as identity theft or "record snooping" affected nearly 1/3 of organizations as well. Only 35% of those surveyed said they hadn’t had any breaches in the last 12 months, but security experts warned that the reported breach numbers are likely low.
"I’m sure there are lots of breaches that go unreported," cybersecurity consultant Tom Walsh told survey organizers. "If you think you are in great shape because no breaches are being reported, you may want to go back and do a little closer look. Perhaps your employees or your workforce members don’t even know that something is a reportable event. Or maybe they don’t know how to report it."
In general healthcare groups have ramped up their security efforts and sought ways to enhance data encryption and personnel training, but too much of that has been the result of an incident rather than proactive security efforts, Spooner added. The "key" to winning executive support for a security boost may be "to have a breach or have your neighbor have a breach," he said.
"Typically, the organization that has the breach finds themselves implementing more rigorous procedures – things that they probably should have had in the first place," Spooner told survey organizers. "But with the number of reported breaches that we’re seeing in the news almost every week, it’s not quite as difficult of an argument as it was 5 or 10 years ago, because we realize that we’re all vulnerable."
Healthcare providers have certainly ramped up their internal security audits, according to the survey. In 2011 more than a quarter of surveyed groups said that had not conducted a risk assessment, compared with only 8% in the most recent survey.
"When you recognize that almost every week there is some kind of a reported breach around the country involving thousands of patient records being potentially compromised, and the fines and other punishment plus the poor public relations that go with that, it’s really increasing the emphasis, rightfully so, on improving our security profiles," Spooner said.
The survey, conducted in the fall of 2012, was organized by the editorial staff of Information Security Media Group, with the assistance of members of the HealthcareInfoSecurity board of advisers.