According to a new survey of health care IT professionals, sensitive and confidential patient health records are not adequately protected from theft or loss.
Despite the data’s sensitivity, 51 percent of those surveyed do not protect patient data used in software development and testing.
Perhaps worse, losses can easily go undetected — 78 percent are not confident or are undecided as to whether their organization could even detect the theft or accidental loss of real data in development or test.
And respondents said breaches are commonplace — 38 percent have had a breach involving data in a development and test environment and 12 percent are unsure if they have had a breach or not.
And respondents know that the consequences of a data breach are high — 59 percent of those experiencing breaches consequently experienced disruption of operations, 56 percent faced regulatory action and 36 percent suffered reputation loss.
The survey findings are being published today in a new report by the
Traverse City-based Ponemon Institute titled, “Health Data at Risk in Development: A Call for Data Masking.” The survey was sponsored by Informatica Corp. (Nasdaq:INFA), a provider of data integration software.
Examining the widespread use of real patient data in health care
application development and test environments, the report details how this is exposing health care organizations to the risk of non-compliance to various regulations suchas the Health Insurance Portability and Accountability Act (HIPAA). Additionally, the research provides guidelines for reducing exposure — including the now vital practice of masking and securing live data.
Other key research findings, based on a survey of more than 450 IT
professionals in U.S. healthcare organizations, include:
* Outsourcing and cloud computing increase the security risk. Outsourcing development and test activities or using cloud computing resources introduce additional risk factors, which often prevent health care organizations from turning to these potentially advantageous resources. Forty percent do not outsource due to security concerns, while a mere 19 percent are confident or very confident about security in a cloud environment.
* Healthcare industry disillusioned with data protection goals — Protection of real data in the development and testing environment is important to respondents but the majority does not know or believe they are successful in achieving this goal. Seventy-four percent say that meeting privacy and data protection requirements in the health care services industry is important but only 35 percent say they believe their company is successful in achieving this goal.
With only 35 percent of respondents believing their organization is
successful at protecting patient privacy in development and test
Pnvironments, Ponemon Institute recommends immediate actions including:
* Centralized executive oversight — Create a single point of executive-level responsibility coupled with policies and procedures for safeguarding your organization’s real data in non-production environments.
* Data masking — Invest in key technologies including tools to transform or mask sensitive or confidential data without diminishing the richness of the data necessary for successful testing and development.
* Data masking helps safeguard sensitive, private or confidential data
such as protected health information (PHI) or personal health records (PHR) by masking it in-flight or in-place. As a result, fully functional, realistic data sets can be used safely in development, testing, training and other non-production environments. Regardless of whether the work is managed in house, offshored or outsourced, companies have the peace of mind knowing they will not be exposed to malicious or inadvertent data spills or in violation of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) or other regulations.
* With Informatica Data Masking, sensitive data can be discovered and systematically de-identified using algorithms that obfuscate the original data, but retain its original format and properties so that applications that depend on that data continue to function properly during development and test activities.
“Health Data at Risk in Development: A Call for Data Masking is a Wake-up call for the health care industry, where the average per-victim cost of a data loss is $294 — a whopping 44 percent higher than the norm across all industries,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Healthcare organizations have achieved great success in safeguarding their data in production environments. Now it is time to act just as resolutely and systematically to protect patient confidentiality and privacy in non-production environments.”
More at www.informatica.com.