News Feature | July 25, 2013

Carelessness With Cloud Putting Providers At Risk

Source: Health IT Outcomes
Greg Bengel

By Greg Bengel, contributing writer

A recent study finds healthcare organizations have a long way to go to mitigate data breach risks posed by cloud technology and mobile devices

A recent study by the Ponemon Institute stresses the extent to which cloud technology poses a risk to provider data. According to the study, health organizations are negligent and sloppy when it comes to data stored in clouds and mobile devices. The negligence is coming back to bite healthcare organizations. Of the study’s survey respondents, 54 percent have had an average of five data breach incidents involving loss or theft of a mobile device containing confidential data. 

The security of data in the cloud is an issue of utmost concern to healthcare providers. Fierce Health IT reports that — primarily due to security and performance concerns —- the healthcare industry is slower than most when it comes to adopting cloud technology. In fact, healthcare ranked seventh out of eight industries when it came to adoption.

But is the issue the devices or the employees using them? An article from IT Business Edge makes reference to a claim by Larry Ponemon, chairman and founder of the Ponemon Institute, that, regardless of who is operating them, the devices themselves are not secure. Ponemon’s “right, up to a point,” says the article. “Devices have vulnerabilities. There are too many questions about how to handle cloud security. But when you look at how many employees handling the data either aren’t making an effort to be secure or don’t care or don’t know that they have to – numbers that are too high and are clearly revealed in this study – it isn’t fair to put the blame on the devices.”

Study results add to the credibility of this point of view. The report lists a number of reasons why the data on mobile devices and in the cloud is at risk. Specifically, organizations:

  • do not know how much data is on the mobile devices and in the cloud
  • do not prevent employees from accessing regulated data using unsecured mobile devices
  • do not make the risk a top security priority
  • do not monitor employees who handle the data
  • do not stress the importance of protecting the data, and
  • do not have the necessary practices in place.

According to the Ponemon Institute study, many employees are simply lacking knowledge of the security requirements surrounding the confidential data with which they routinely interact. Both the article from IT Business Edge, as well as this article from Fierce Health IT concerning the study, stress one particularly disturbing fact from the 31-page study. “Approximately 33 percent of respondents said that they need to access PHI to do their work. Nevertheless, only 15 percent of survey participants knew of HIPAA's security requirements for regulated data on mobile devices despite 33 percent of respondents indicating that they are part of a HIPAA covered entity,” reports Fierce Health IT.