Despite a gravitation toward new technologies in the medical industry in recent years, many other healthcare providers are failing to update their data protection practices for the 21st century, a new study from PricewaterhouseCoopers found.
In a survey of 600 executives from U.S. hospitals and physician organizations, PwC's Health Research Institute found that more than half of health organizations have not updated their data security and privacy practices to account for new technology and cyber threats.
Furthermore, 54 percent indicated that they had experienced some sort of information privacy or security issue in the past two years.
Data breaches and loss in the healthcare industry can be particularly damaging given the sensitive nature of the information healthcare providers often maintain. Hospitals and medical clinics that expose sensitive data or fail to adhere to the regulations set by HIPAA and the HITECH Act risk not only suffering fines but damage to their reputations as well.
In recent years, health organizations around the world have adopted new technological trends, such as electronic health records, cloud computing and mobile devices. In the United States, specifically, nearly all healthcare providers are expected to shift from paper to electronic health records by 2014.
But even as these trends unfold, many health organizations are not accounting for the data security implications of these new technologies.
For example, 55 percent of PwC survey respondents indicated they have not yet updated their security policies for new advances in mobile technology, including smartphones and tablets. This may be especially troublesome, as the healthcare industry has been a major proponent of tablet computers. An earlier study from Knowledge Networks found that 27 percent of physicians and specialists have already adopted tablets – five times the rate of the general population.
Additionally, 64 percent of doctors own smartphones, according to Knowledge Networks.
"The health IT and new uses of health information are changing quickly and the privacy and security sometimes may not be moving in step," said PwC director Jim Koenig, according to news provider Reuters. "That is some of the most sensitive and important information to a consumer, so with the advancement of healthcare IT it's only natural that advancements in privacy and security should come along."
Reuters reported that U.S. health and drug regulators are expected to update the rules pertaining to data privacy and protection by the end of the year. It is likely that among the data security concerns addressed in the update regulations will be insider threats.
According to PwC's report, internal threats – whether malicious or accidental – account for the highest percentage of privacy issues in healthcare. Forty percent of survey respondents said they had reported some form of improper internal use issue in the past two years.
Such was the case for Stanford Hospital in Palo Alto, California. According to the New York Times, the hospital recently reported a major data breach that involved the personal information of some 20,000 emergency room patients.
The hospital had posted information such as names and diagnosis codes on a commercial website for more than a year. Though it doesn't appear the information was posted intentionally, the backlash from critics and data privacy advocates has been significant, and the impending sanctions will likely be substantial.
As hospitals, pharmacies, doctors, insurers and others in the healthcare industry continue to deploy new technologies, a focus on data privacy and protection is imperative. For many, this means introducing data security training to both IT and medical staff. Additionally, healthcare providers will likely benefit from creating, what PwC called, a "Culture of Confidentiality," in which employees are more aware of the risks of data breaches and are more careful about what they discuss and how they treat sensitive information.
Security News from SimplySecurity.com by Trend Micro