Healthcare security needs a booster shot

A new survey from PricewaterhouseCoopers has found that a majority of health enterprises do not have the security in place, nor the policies, to properly protect patient data and privacy.

In its report, Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground, the advisory firm PwC says health organizations are slipping behind the rapid pace of new technological adoption as there’s more data sharing, increased collaboration with partners, as well as the industry’s fast embrace of electronic health records, mobile computing and social networks.

None of this is news to readers of CSOonline, as we covered the issues previously in “Digitized medical records are easy prey“, and “Is health care security in intensive care?“

The findings are from a U.S.-based PwC Health Research Institute survey of 600 executives from hospitals, physician organizations, health insurers and pharmaceutical and life sciences companies.

In the survey, data theft scored high: In fact, theft of records accounted for 66 percent of reported health data breaches during the previous two years. Also, just over one-third of hospitals and physician groups reported cases of medical identity theft. And 54 percent of health organizations reported at least one issue with information privacy and security over the past two years.

“The increase in thefts doesn’t surprise me, because attackers have the tools and smarts necessary to successfully attack these systems and get away with the goods,” says Pete Lindstrom, research director at Spire Security. “The industry is exposing the data to the world and making more complex apps, and they’re getting hacked as a result.”

As one would suspect, commonly it’s insider improper use of protected health information, with 40 percent of providers saying that has happened in their organization during the 24 months prior to the survey.

With a peek at the lack of policies healthcare organizations have in place, it doesn’t seem too surprising why there are problems with security and privacy. For instance, the survey found that more than half of firms allow access to social networking at work, while only 37 percent incorporate approved uses of mobile devices and social media as part of privacy training.

The survey also found that organizations that try to integrate their privacy and security efforts at least believe that the security of their organization’s data has increased in the past year. However, the actual reduction in breaches for their effort has been anemic, from 1.22 average reported breaches in the past two tears to 1.14.

“It’s tough to tell if companies are getting the value out of their security investments, with the difference in breached vs. non-breached being so tight,” Lindstrom says.

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme.