It is really bad, according to a recent survey by the Ponemon Institute (available here with registration). The white paper, entitled Health Data at Risk in Development: A Call for Data Masking, presents the results of a survey of 492 health care IT professionals on their companies’ practices regarding use of live personal health care data in application testing.
It makes a scary read. Here are the lowlights:
- 57 percent of respondents say “their organizations use patient billing and insurance information in development and test of IT applications.”
- 57 percent responded that their company “does not protect real data used in software development and testing.”
- Many respondents “admit real data used in the testing and development environment has been lost or stolen.” “Thirty-eight percent say they have had a breach involving real data and 12 percent are uncertain.”
The white paper lists a litany of health care data transgressions like those above, then reviews the stiff legal penalties associated with health care data security breaches, which can be as high as $250,000 per violation.
The paper ends with these recommendations:
- Assign a Chief Information Security Officer (CISO) “for the safeguarding of real data used in application testing and development.
- “Create policies and procedures for the protection of real data used in application testing and development.
- “Educate employees about the importance of protecting sensitive data in application testing and development.
- “Use encryption, data leak prevention, access management, and other information security technologies.
- “Use de-identified, masked, or dummy data rather than live data in the test and development process.”
Certainly all of these measures can be valuable, and to this list I would add a seventh recommendation from a recent article on this site: “background checks and non-disclosure agreements for developers and testers as with health care staff and claims administrators.”
I believe that most organizations by now consistently apply education, encryption/physical security, and background checks. The current strategy of choice seems to be having trustworthy individuals work in a secure, encrypted environment. Hopefully recent highly publicized breaches in the financial world will drive information security to the C level of the organization and mandate effective masking tools in application development and test.