Data Breaches Cost Health Care Industry $6.5 Billion; Breaches Up 32%
TRAVERSE CITY -- A new study from the Traverse City-based data security consultancy Ponemon Institute and Portland, Ore.-based ID Experts found that the frequency of data breaches in health care organizations surveyed has increased by 32 percent, with hospitals and health care providers averaging four data breaches.
Employee negligence is the primary culprit. According to 41 percent of health care organizations surveyed, data breaches involving protected health information are caused by sloppy employee mistakes.
To compound the problem, half of respondents do nothing to protect mobile devices that are in use in 80 percent of health care organizations.
Based on the experience of the health care organizations surveyed, data breaches could be costing the U.S. health care industry an estimated $4.2 billion to $8.1 billion annually -- an average of $6.5 billion -- enough to hire more than 81,000 registered nurses nationwide or fund 216 million flu vaccinations.
For a free copy of the 2011 Benchmark Study on Patient Privacy and Data Security, visit http://www2.idexpertscorp.com/ponemon-study-2011.
Key findings of the research include:
* Data breaches at hospitals and health care providers are rising, due to employee mistakes. Data breaches represent a 32 percent increase, with compromised patient records in benchmarked organizations increasing an average of 46 percent. According to the research, 55 percent of health care organizations say they have little or no confidence they are able to detect all privacy incidents. In fact, 61 percent of organizations are not confident they know where their patient data is physically located. Third-party mistakes, including business associates, account for 46 percent of data breaches reported in the study. According to 49 percent of respondents, lost or stolen computing or data devices are the reason for healthcare data breach incidents.
* Widespread use of unsecured mobile devices is at the core of hospital data breaches. More than 80 percent of health care organizations use mobile devices that collect, store and/or transmit some form of PHI. Yet, half of all respondents do nothing to protect these devices.
* Federal regulations and policies are not reducing data breaches. Only 22 percent of organizations say their budgets are sufficient to minimize data breaches. 83 percent of hospitals have clearly written policies and procedures to notify authorities of a data breach, but 57 percent don't believe their policies are effective. The research indicates that the closer the personnel are to the data -- such as billing and IT -- the higher the probability of not following policies and procedures. Forty-two percent of respondents say administrative personnel in their organizations do not understand the importance of protecting patient data.
* More health care providers say data breaches are leading to medical identity theft. Twenty-nine percent of respondents say their data breaches led to cases of medical identity theft. This represents a 26 percent increase compared to 2010. 90 percent of organizations say data breaches cause harm to patients, yet only 25 percent offer basic monitoring services following a breach. 35 percent of healthcare breaches are discovered by a patient complaint.
* Data breaches are likely to increase, given lack of resources. Seventy-three percent of respondents reported lacking sufficient resources to prevent or detect unauthorized patient data access, loss or theft. 53 percent of organizations cite lack of budget as their biggest weakness in preventing data breaches. The increased use of outside resources and business associates -- associated with the downsizing of hospital staff -- is having a direct impact on privacy and security. 69 percent of organizations say that they have little or no confidence in business associates ability to secure patient data.
"Health care data beaches are an epidemic," said Larry Ponemon, chairman and founder of the Ponemon Institute. "These problems are a direct result of our national economy. Healthcare organizations -- especially not-for-profit hospitals and small clinics -- have thin margins, are trimming staff and resources and are lacking sufficient security and privacy budgets needed to adequately protect patients. I don't see this getting better anytime soon."
"Hospital employees are exposing patient data like the back of a hospital gown," said Rick Kam, president and co-founder of ID Experts. "Identity theft and medical identity theft resulting from data breach exposure are commonplace, causing patients financial harm, frustration and embarrassment. Hospitals must vaccinate against data breach risks in order to take better care of patients and their data."
According to Rick Kam at ID Experts, healthcare organizations can minimize their data breach risks with three basic steps:
1. Take an inventory of PHI/PII. An inventory provides a complete accounting of every element of personally identifiable information and PHI that an organization holds, in either paper or electronic format. It helps determine how an organization collects, uses, stores and disposes of its PHI. A PHI inventory reveals the risks for a data breach, so organizations can strategically protect PHI data and best plan for a response based on real information.
2. Develop an Incident Response Plan (IRP). An IRP is an effective, cost-efficient means for helping organizations meet HIPAA and HITECH requirements and develop guidelines related to data breach incidents. The IRP designates roles and provides guidelines for the response team's responsibilities and actions.
3. Review contracts and agreements with business associates. Business associates are a growing cause of data breaches. These contracts between healthcare organizations and business associates authorize and define business associates' use of the PHI they share with healthcare providers. Keeping these contracts up-to-date demonstrates compliance to regulators and helps maintain consistency in how PHI is managed in a healthcare ecosystem
A free webinar with Larry Ponemon and Rick Kam will be held Thursday, Dec. 8 at 1 p.m. To register, visit https://idx.webex.com/idx/onstage/g.php?t=a&d=963207501.
The study used in-depth, field-based research involving interviews with senior-level personnel at health care providers to collect information on the actual data loss and data theft experiences at their organizations. This benchmark research, in contrast to a traditional survey-based approach, enables researchers to collect both the qualitative and quantitative data necessary to understand the current status of patient privacy and data security in the healthcare organizations that participated in the study.