Data breaches widespread among U.S. hospitals: report
December 06, 2012
by Brendon Nafziger, DOTmed News Associate Editor
Last week Grady Memorial Hospital in Atlanta revealed that 900 ambulance patients might have had their personal information stolen by an employee of the company who runs the hospital's billing system. Investigators are trying to figure out whether the information, which included social security numbers, was used for any illegal purpose.
The data breach might be an inconvenience for Grady and its patients, but it's not an uncommon one. Grady is actually in rather large company. About nine in 10 surveyed U.S. hospitals have had a data breach over the past two years, with close to half reporting more than 5 breaches, according to a new report released Thursday by the Ponemon Institute. Some 2,800 records are compromised, on average, per breach, Ponemon said.
And the data leakage is not cheap. Ponemon reckons the average economic impact of a breach to a health care organization every year reaches $1.2 million, meaning the total hit to the U.S. health care system because of stolen laptops, hacked servers or lost thumb drives is estimated to be almost $7 billion.
Rick Kam, co-founder and president of ID Experts, an identity theft protection firm which sponsored the report, said the cost of a breach is not just the direct costs of legal bills. For big institutions, it also includes lost revenue from patients going to a different center for treatment after getting spooked by your breach. The lifetime value of a patient to a health system is calculated at around $107,000, he said.
"If the organization is a high profile organization like a Kaiser or a Johns Hopkins, much of their cost can be in lost opportunities," he told DOTmed News.
Crimes and misdemeanors
The study also found criminal attacks are on the rise. Cyber break-ins were reported by 20 percent of respondents as a cause of a breach in 2010, a number that has grown to 33 percent this year. The reason for the change? No one's sure, but Ponemon Institute founder and chairman Larry Ponemon said crooks might realize health care organizations are more vulnerable than other sorts of businesses. Also, purloined medical identity has a lot of street value. Kam said he heard it was worth about 50 times what a social security number could bring.
Medical identity theft — that is, using someone's health insurance number or other identifying information to get health care services — can be used to score prescription drugs, for instance. In the report, Ponemon found over half of the organizations had experienced an ID theft. All told, Kam estimated that about 1.85 million Americans were affected by medical ID theft this year — a pool of victims about as large as the population of Philadelphia.
Still, most breaches were not the result of an outside hack perpetrated by some shadowy gang of Internet thieves. Rather, the leading cause of a breach was a laptop, smartphone or other device getting lost or stolen, followed by an employee goof-up and an error by a third-party group.
"Most of the data breaches are in fact caused by employee negligence," Ponemon told DOTmed News. "They're not malicious."
He added in a follow-up e-mail an estimated two-thirds of breaches recorded in the study were not due to "criminal mischief."
Threat vectors
But Ponemon found lots of room for more threats in the future, as most hospitals now use cloud-based services and 81 percent let employees practice the controversial BYOD, or Bring Your Own Device. This means they let staff use their own mobile device to connect to a network or enterprise system. But almost half don't ensure those devices are protected.
Also, most surveyed organizations do not secure their medical devices. Ponemon said in the report that mammography scanners, heart pumps and insulin pumps often use commercial PCs and wireless connections that could make them prey to hackers, yet 69 percent of respondents did not secure these or other devices. "This finding may reflect the possibility that they believe it is the responsibility of the vendor — not the health care provider — to protect these devices," the report said.
What should providers do? Kam and Ponemon say it mostly comes down to more frequent checks and better planning. Hospitals should have daily checks on their systems, do annual risk assessments that take into account new technologies, like the cloud and mobile devices, make sure business associates (like cyber insurance providers) are included in their response planning, and create a data breach plan the same way they would make a fire escape plan.
"When you discover you had a lost laptop that had protected health information, you can basically scramble the executive team — the crisis team if you will — so they can respond effectively," Kam said.
The survey, the Third Annual Benchmark Study on Patient Privacy and Data Security, is based on responses from 80 organizations, a 16 percent response rate, Ponemon said in the report. Ponemon noted the survey had some limitations and some of the results might not be generalizable to the whole health care system, largely due to the small sample size.
The data breach might be an inconvenience for Grady and its patients, but it's not an uncommon one. Grady is actually in rather large company. About nine in 10 surveyed U.S. hospitals have had a data breach over the past two years, with close to half reporting more than 5 breaches, according to a new report released Thursday by the Ponemon Institute. Some 2,800 records are compromised, on average, per breach, Ponemon said.
And the data leakage is not cheap. Ponemon reckons the average economic impact of a breach to a health care organization every year reaches $1.2 million, meaning the total hit to the U.S. health care system because of stolen laptops, hacked servers or lost thumb drives is estimated to be almost $7 billion.
Rick Kam, co-founder and president of ID Experts, an identity theft protection firm which sponsored the report, said the cost of a breach is not just the direct costs of legal bills. For big institutions, it also includes lost revenue from patients going to a different center for treatment after getting spooked by your breach. The lifetime value of a patient to a health system is calculated at around $107,000, he said.
"If the organization is a high profile organization like a Kaiser or a Johns Hopkins, much of their cost can be in lost opportunities," he told DOTmed News.
Crimes and misdemeanors
The study also found criminal attacks are on the rise. Cyber break-ins were reported by 20 percent of respondents as a cause of a breach in 2010, a number that has grown to 33 percent this year. The reason for the change? No one's sure, but Ponemon Institute founder and chairman Larry Ponemon said crooks might realize health care organizations are more vulnerable than other sorts of businesses. Also, purloined medical identity has a lot of street value. Kam said he heard it was worth about 50 times what a social security number could bring.
Medical identity theft — that is, using someone's health insurance number or other identifying information to get health care services — can be used to score prescription drugs, for instance. In the report, Ponemon found over half of the organizations had experienced an ID theft. All told, Kam estimated that about 1.85 million Americans were affected by medical ID theft this year — a pool of victims about as large as the population of Philadelphia.
Still, most breaches were not the result of an outside hack perpetrated by some shadowy gang of Internet thieves. Rather, the leading cause of a breach was a laptop, smartphone or other device getting lost or stolen, followed by an employee goof-up and an error by a third-party group.
"Most of the data breaches are in fact caused by employee negligence," Ponemon told DOTmed News. "They're not malicious."
He added in a follow-up e-mail an estimated two-thirds of breaches recorded in the study were not due to "criminal mischief."
Threat vectors
But Ponemon found lots of room for more threats in the future, as most hospitals now use cloud-based services and 81 percent let employees practice the controversial BYOD, or Bring Your Own Device. This means they let staff use their own mobile device to connect to a network or enterprise system. But almost half don't ensure those devices are protected.
Also, most surveyed organizations do not secure their medical devices. Ponemon said in the report that mammography scanners, heart pumps and insulin pumps often use commercial PCs and wireless connections that could make them prey to hackers, yet 69 percent of respondents did not secure these or other devices. "This finding may reflect the possibility that they believe it is the responsibility of the vendor — not the health care provider — to protect these devices," the report said.
What should providers do? Kam and Ponemon say it mostly comes down to more frequent checks and better planning. Hospitals should have daily checks on their systems, do annual risk assessments that take into account new technologies, like the cloud and mobile devices, make sure business associates (like cyber insurance providers) are included in their response planning, and create a data breach plan the same way they would make a fire escape plan.
"When you discover you had a lost laptop that had protected health information, you can basically scramble the executive team — the crisis team if you will — so they can respond effectively," Kam said.
The survey, the Third Annual Benchmark Study on Patient Privacy and Data Security, is based on responses from 80 organizations, a 16 percent response rate, Ponemon said in the report. Ponemon noted the survey had some limitations and some of the results might not be generalizable to the whole health care system, largely due to the small sample size.