The Second Annual Benchmark Study on Patient Privacy & Data Security was just released by Ponemon Institute, a privacy and security research firm based in Traverse City, Mich. Some of the findings are surprising, if not shocking given the attention and legislation put in place to deal with this topic. Lip service? One is really left to wonder.

The Data

When looking at the data, let’s also keep in mind that the survey targeted data protection professionals, with 43% of respondents holding the title of chief security officer, chief information security officer, chief information officer, chief privacy officer or chief compliance officer. Additionally, the sample was skewed toward larger healthcare organizations, “excluding the plethora of very small provider organizations, including local clinics and medical practitioners,” the report said. There’s a lot of interesting (and highly disturbing) data in the report, but I’ll focus on only a few highlights according to healthcare organizations responding to the survey: 1.  96% have had at least one data breach in the past 24 months. On average organizations have had 4 data breach incidents during the past two years. Breaches increased 32% from the previous year. (96%?  Does that not sound a lot like 100%?) 2.  The top 3 causes for a data breach are:

1. lost or stolen computing devices
2. third-party snafu
3. unintentional employee action.

Even more troubling is the data in regards to what appears to be the prevailing and unsettling mind-set surrounding security as a priority. 3.  Staff do not understand the importance of patient data protection

1. 66% agree medical billing personnel do not understand the importance of patient data protection
2. 58% say IT personnel do not understand its importance
3. In contrast, 58% say administrative personnel do understand the importance of protecting patient data.

4.  Protecting patient data and privacy is not a priority for healthcare organizations

1. Only  29% of respondents agree that the prevention of unauthorized access to patient  data and loss or theft of such data is a priority in their organizations
2. Less than one-fourth (23%) said their organization has “encryption solutions  installed.”

Email Encryption – a minimum in healthcare prevention for breach of patient data and privacy

Let’s focus for a moment on the last piece of data shown in 4(2) above. Less than one-fourth (23%) said their organization has “encryption solutions  installed.”  This also means that healthcare organizations are not using email encryption (secure email) to communicate patient information securely. Which also ties into 3rd party snafus as one of the top reasons for patient breaches. It seems that email encryption and secure communication should be at the top of the priority list as one of the first steps in securing patient information. The report cites the following types of compromised patient data:

• Medical file
• Billing and insurance record
• Scheduling details
• Prescription details
• Payment details
• Monthly statements

While the report does not provide details about how this information was intercepted, I think it’s a pretty good guess that the breaches were not related to the use of encryption technology. Using phone, unsecured email, fax, couriers, mail, or in-person visits to transfer or share private patient information is not secure and can easily be intercepted. At the very least, healthcare organizations must adopt email encryption to communicate medical, insurance, scheduling and billing statements information with patients and other healthcare organizations.  Email encryption is well positioned to become the way of the future in healthcare communication, and it has the teeth to back up that privilege since it also addresses regulatory compliance with HIPPA and other technical security safeguard standards.  Its adoption must become as routine and pervasive as any other fundamental business practice in the healthcare industry. 51% named inadequate budgets for privacy and security as the top weakness in their healthcare organization’s security program.  Encrypted email is also a highly efficient and cost effective way to prevent patient privacy and data leaks – as well as providing enhanced patient services.  For example, sending monthly e-statements by secure email to patients and other healthcare providers is associated with significant cost savings, efficiencies, as well as the added bonus of a reduced environmental footprint. If email encryption were adopted by the surveyed organizations today, the survey results would show significant improvements next year.  Guaranteed. Ariane Laird works with Email2.

• Email2 provides straightforward secure email encryption, data leak prevention, and e-statement solutions for the healthcare industry using the same security technology as internet banking.
• Email2 enables healthcare organizations to securely send, receive, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.
• View our related blog post: 4 ways medical offices can use encrypted email to address compliance and productivity