A full 79% of respondents were “somewhat concerned” or “very concerned” that their existing controls did not enable timely detection of patient data breaches. Slightly more than half said they did not have adequate tools for monitoring inappropriate access to confidential patient data. At the same time, 47% said they expected their organization to spend more on tools to detect and prevent patient data breaches in the next 12 months.
The survey of 90 privacy and compliance officers at medium-sized to large hospitals found that insiders were responsible for the majority of patient data breaches, with 35% of breaches involving snooping into medical records of fellow employees and 27% accessing records of friends and relatives. Other causes of breaches included loss or theft of physical records (25%) and loss or theft of equipment storing patient data (20%).
“When [hospitals] do find there is a problem, it is usually an insider looking at a fellow employee or a relative. That is the most frequent kind of breach”, said Alan Norquist, chief executive officer of Veriphyr.
“People talk a lot about USB sticks, paper, and hard drives…but when you talk to the privacy officers, they are concerned about the internal employees because every time an employee looks at someone’s record that they shouldn’t be looking at, you know something bad is happening”, Norquist told Infosecurity.
The survey found that when a patient data breach occurred, 30% of respondents said that the breach was detected in one to three days, 12% within one week, and 17% within two to four weeks. Once a data breach was detected, only 16% said the breach was resolved in one to three days, 18% within one week, and 25% within two to four weeks.
At the same time, a full 80% of those surveyed felt that senior management supports compliance and security initiatives and 88% said they felt top management would listen to their recommendations for improvement. In addition, 65% believe that top management would act on those recommendations in a timely manner.
“In healthcare, the good news is that people who worry about healthcare privacy believe top management does act on their recommendations. That is a good sign for healthcare security because it means that as good solutions become available, they are going to get implemented”, Norquist concluded.