Healthcare IT is undergoing a revolution. Electronic Health Records, ICD-10, Meaningful Use incentives and the list goes on. However, patients and providers alike are expressing concerns about security. A new study shows those concerns are warranted. The study revealed that healthcare organizations are less secure than retail, a cause for concern given the recent hacking instances among high-profile retail chains.
Healthcare Scores the Lowest
The study, performed by security rating firm BitSight Technology, analyzed data across four industries: finance, utilities, retail, and healthcare and pharmaceuticals. They examined factors such as communication with a botnet, malware distribution and spam propagation. While 82 percent of the organizations evaluated experienced some type of security compromise, healthcare had the worst performance. The healthcare sector saw the biggest growth in IT security breaches, but took the most amount of time to respond, five days compared to 3.5 days within the other sectors. BitSight CTO Stephen Boyer said, "Despite increasing awareness about these risks, healthcare organizations are far behind their peers."
According to the study, patient records are high in value, reaping about $20 per record on the black market compared to only $1 per credit card. In addition to exposing sensitive information about the patient, thieves sell data to be used for insurance fraud.
A Learning Curve
As an industry healthcare failed the security test. However, researchers were quick to admit that specific healthcare organizations led the pack. The good news is that studies like these are opening dialogue and raising awareness. Boyer continued to explain that healthcare is new to the security arena. For example, the finance industry has been securing data for decades. It's understandable that healthcare would have to endure somewhat of a learning curve. However, if healthcare organizations don't act fast, the learning curve could prove to be costly. Just recently the Department of Health and Human Services (HHS) fined New York and Presbyterian Hospital and Columbia University $4.8 million in a HIPAA breach case.
HIPAA and The HITECH Act have helped enforce much needed security regulations. However, data breach statistics in healthcare show more instances of data loss due to employee error as opposed to cyberattacks, emphasizing the need to balance employee training, process improvement and legislative compliance as part of effective medical practice management.