The PHI crisis in healthcare is putting patient safety and privacy at risk. Healthcare organizations represented in this research experienced an average of 74 cyberattacks in the past two years and almost half of respondents (47 percent) say these cyberattacks resulted in the loss, theft or data breach of PHI. Over the past two years, the cost to detect, respond and remediate PHI cyberattacks was $2.6 million and another $1.6 million was spent to hire staff, paralegals and technologies to determine the cost to patients.
Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and was created, used, or disclosed when providing a health care service such as diagnosis or treatment.
The purpose of this research, sponsored by Tausight and independently conducted by the Ponemon Institute, is to understand the challenges healthcare organizations face in securing PHI data. Ponemon Institute surveyed 551 US IT and IT security practitioners who are in the following healthcare organizations: hospitals (37 percent of respondents), healthcare service providers (23 percent of respondents), clinics (21 percent of respondents) and healthcare systems (19 percent of respondents). The primary responsibilities of respondents are managing IT and IT security budgets, assessing cyber risks to PHI, setting IT or IT security priorities and selecting vendors and contractors.
Healthcare organizations’ ability to protect patient PHI is in critical condition. Organizations are losing control of the risk because of the lack of visibility into the enormous amount of PHI outside EHR. There are two serious root causes of the PHI crisis. According to 58 percent of respondents, their organizations are unable to determine how much PHI exists outside of EHR, where it is and how it is being accessed. And Fifty-five percent of respondents say their organizations are at risk because of the excessive presence of PHI across their data centers, endpoints and email accounts. On average, organizations have 30,030 network-connected devices.
Findings that illustrate the PHI crisis in healthcare
- Organizations lack the budget to invest in PHI protection technologies (52 percent of respondents) and the ability to have the necessary expertise to manage PHI protection technologies (48 percent of respondents).
- Current legacy technologies have difficulty protecting the enormous amounts of PHI across our systems (66 percent of respondents) and identifying PHI on servers and endpoints to understand what to put in organizations’ secure storage (69 percent of respondents).
- Migration to the cloud and collaboration tools have increased risks to PHI (52 percent of respondents).
- The level of security risk to PHI created by remote care and accessing or transmission of PHI outside the firewall is very high, according to 57 percent of respondents.
- Current technologies are not improving visibility into PHI outside EHR. As a result, only 39 percent of respondents say their organizations have a high ability to detect and classify unstructured data and only 47 percent of respondents say their organizations have a high ability to detect and classify structured data wherever they exist throughout the expanding digital environment.
- Only 30 percent of respondents say their organizations have significant visibility into PHI located in the data center and endpoints where it is exchanged between doctors’ and patients’ systems or applications.
- Most organizations say DLP and DSP software are not effective in improving visibility into PHI on endpoints, networks and in the cloud and providing visibility into data movement of PHI.
- Once organizations have a PHI data breach, 71 percent of respondents say it very difficult to assess how many patients were affected by the breach and almost half of respondents (47 percent) say their organizations are likely to overreport the number of patients affected because of the difficulty in determining the device or server that was compromised.
- The negative consequences of a PHI data breach are exacerbated because it can take an average of more than two months to recover, remediate and assess the impact to PHI and to be able to disclose the breach and notify affected patients.
- Insiders put PHI data at risk. The most frequent types of insider negligence are accessing PHI on uncontrolled devices and accessing hyper-connected endpoints on networks and varying IT security standards. Other frequent incidents are sending emails with unencrypted PHI and moving PHI to an unknown USB drive and data is lost.