Survey: 94% of providers had data breach in past two years

Almost all healthcare organizations surveyed suffered at least one data breach during the past two years. The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, sponsored by ID Experts, found that 94 percent of those organizations surveyed suffered at least one breach and 45 percent experienced more than five data breaches.

Based on the experience of the 80 healthcare organizations participating in this research, data breaches could be costing the U.S. healthcare industry an average of $7 billion annually. The average impact of a data breach is $1.2 million per organization.

A new finding indicates that 69 percent of organizations surveyed do not secure medical devices—such as mammogram imaging and insulin pumps—which hold patients' protected health information (PHI). Overall, the research indicates that patients and their PHI are at increased risk for medical identity theft. Risks to patient privacy are expected to increase, especially as mobile and cloud technology become pervasive in healthcare.

Information breached is largely medical files and billing and insurance records. According to the research, 54 percent of organizations have little or no confidence that they can detect all patient data loss or theft. Patients and their information are at risk for medical identity theft.

The causes of data breach cited were loss of equipment (46 percent), employee errors (42 percent), third-party snafu (42 percent), criminal attack (33 percent) and technology glitches (31 percent). More than half of healthcare organizations (52 percent) had cases of medical identity theft. Of the 52 percent of organizations that experienced medical identity theft, 39 percent say it resulted in inaccuracies in the patient's medical record and 26 percent say it affected the patient's medical treatment.

Eighty-one percent of healthcare organizations permit employees to use their own mobile devices, often to access organization data. Yet 54 percent of organizations are not confident that these personally owned mobile devices are secure. Cloud computing is another, and growing, technology threat. Ninety-one percent of hospitals surveyed are using cloud-based services; many use cloud services to store patient records, patient billing information and financial information. Yet, 47 percent of organizations lack confidence in the data security of the cloud.

Organizations are taking steps to detect data breaches, but majority lack budget and resources.
This past year, 36 percent of healthcare organizations have made improvements in their privacy and security programs, in response to the threat of audits conducted by the Department of Health and Human Services Office for Civil Rights. While 48 percent of organizations are now conducing security risk assessments, only 16 percent are conducting privacy risk assessments. Yet, 73 percent still have insufficient resources to prevent and detect data breaches. And 67 percent of organizations don't have controls to prevent and/or quickly detect medical identity theft.

"Healthcare organizations face many challenges in their efforts to reduce data breaches," said Larry Ponemon, PhD, chairman and founder, Ponemon Institute, in a release. "This is due in part to the recent explosion of employee-owned mobile devices in the workplace and the use of cloud computing services. In fact, many organizations admit they are not confident they can make certain these devices are secure and that patient data in the cloud is properly protected. Overall, most organizations surveyed say they have insufficient resources to prevent and detect data breaches."

"The trend continues: data breaches are increasing, patient information is at risk, yet healthcare organizations continue to follow the same processes," said Rick Kam, president and co-founder of ID Experts. "Clearly, in order for the trend to shift, organizations need to commit to this problem and make significant changes. Otherwise, as the data indicate, they will be functioning in continual operational disruption."

Kam offers five recommendations for healthcare organizations:

1. Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes.
2. Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security.
3. Conduct combined privacy and security compliance assessments annually.
4. Update policies and procedures to include mobile devices and cloud.
5. Ensure the Incident Response Plan covers business associates, partners, cyber insurance.
 

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup