Study: Healthcare data breaches a growing concern

Dec. 10, 2012
More than 90 percent of healthcare organizations say they have suffered at least one data breach in the past two years

According to a new study conducted by the Ponemon Institute, a staggering 94 percent of healthcare organizations, which includes hospitals, clinics and integrated delivery systems, reported that they had suffered at least one data breach in the past two years.

The "Third Annual Benchmark Study on Patient Privacy and Data Security," which was sponsored by data breach solutions provider ID Experts and consisted of responses from 324 interviews across 80 healthcare organizations, found that another 45 percent of respondents had suffered more than five incidents. Just 29 percent of respondents reported suffering more than five data breaches in 2010.

Among the most common types of breaches cited included lost equipment (46 percent), employee errors (42 percent), third-party error (42 percent), criminal attack (33 percent), and technology glitches (31 percent). More than half of the healthcare organizations surveyed (52 percent) said they had cases of medical identity theft.

The costs of a data breach can also vary widely, from less than $10,000 at the low end to more than $1 million in some cases. The average cost of a breach to organizations represented in this study were $2.4 million over a two-year period, a slight increase from the studies conducted in 2011 ($2.2 million) and 2010 ($2.1 million). Overall, the study estimates that the cost of data breaches to the U.S. healthcare industry could be nearly $7 billion annually.

In addition, the survey found that 69 percent of organizations do not secure medical devices – such as mammogram imaging and insulin pumps – which contain protected health information (PHI) about patients. Perhaps the biggest threat to patient data, however, is the proliferation of mobile devices in the workplace. Of those surveyed, 81 percent said they allowed employees to bring their own mobile device to access organizational data, but 54 percent indicated that they are uncertain of whether or not these devices are secure.

"Healthcare organizations face many challenges in their efforts to reduce data breaches," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "This is due in part to the recent explosion of employee-owned mobile devices in the workplace and the use of cloud computing services. In fact, many organizations admit they are not confident they can make certain these devices are secure and that patient data in the cloud is properly protected. Overall, most organizations surveyed say they have insufficient resources to prevent and detect data breaches."

According to the study, only 40 percent of organizations that took part in the study said they have confidence they can prevent or quickly detect all patient data loss or theft.

"The trend continues; data breaches are increasing, patient information is at risk, yet healthcare organizations continue to follow the same processes," said Rick Kam, president and co-founder of ID Experts. "Clearly, in order for the trend to shift, organizations need to commit to this problem and make significant changes. Otherwise, as the data indicates, they will be functioning in continual operational disruption."

Among the steps that Kam recommends healthcare organizations take to better secure data include:

  1. Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes
  2. Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security
  3. Conduct combined privacy and security compliance assessments annually
  4. Update policies and procedures to include mobile devices and cloud
  5. Ensure the Incident Response Plan (IRP) covers business associates, partners, cyber insurance

For more information or to download the full report, visit http://www2.idexpertscorp.com/ponemon2012/.

About the Author

Staff Reports

Editorial and news reports authored by the media team from Cygnus Security Media, including SecurityInfoWatch.com, Security Technology Executive magazine and Security Dealer & Integrator (SD&I) magazine.