Despite requirements in the Health Information Technology Act for Economic and Clinical Health (HITECH) Act of 2009 for healthcare providers to provide stronger safeguards for patient data, many hospitals are unprepared for the task. Moreover, data breaches cost the healthcare system an estimated $6 billion annually, according to a study released in November by the Ponemon Institute, Traverse City, Mich. The study was sponsored by ID Experts, Portland, Ore.
The study suggests that healthcare providers have a compelling economic reason to improve the data security in their organizations during the next year. “In general, when provider organizations have a data breach, they don’t understand the cost impact,” according to Larry Ponemon, chairman and founder of the Ponemon Institute. “They don’t understand all of the indirect or intrinsic costs that are associated with these kinds of data breaches.” Many clinicians also do not understand the economic impact of breaches, he adds.
A total of 65 healthcare organizations participated in the study, and respondents who were interviewed work in all areas of the organization, including security, administration, privacy, compliance, financial and clinical.
Key findings of the study include:
• The economic impact of data breach incidents over a two-year period is approximately $2 million per organization.
• Healthcare organizations said they have inadequate resources (71 percent), few if any trained personnel (52 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect data loss. Fifty-eight percent of the respondents said they have little or no confidence in their ability to secure patient records.
• Seventy percent of hospitals said that protecting patient data is not a priority. The majority of responding organizations (67 percent) have less than two staff members dedicated to data protection management. Most at risk is patient billing records and medical records. Patients are typically first to detect a significant number of breaches at healthcare organizations (41 percent).
• A majority (71 percent) of respondents do not believe that the passage of the HITECH Act or the widened scope of privacy and security protections under HIPAA have significantly changed the management of patient records.
• The top three causes of breaches are unintentional employee action, lost or stolen computing devices and third-party snafu. Sixty-three percent of the organizations said they took between one and six months to resolve the incident.
Interestingly, 56 percent of respondents said they are either in the process of implementing an electronic health record (EHR) system. A majority of those that have an EHR system said it has made patient data more secure.
Ponemon notes that the most common breaches involve about 100 records or less. While these don’t typically garner headlines that mega-breaches of millions of health records, the smaller breaches have a significant economic cumulative impact, as well as a damaged reputation for the provider. “People care deeply if their records are stolen, especially if their health records are lost or stolen,” he says. The Ponemon Institute has estimated the average lifetime value of one lost patient to be $107,580.
He adds that regulatory compliance can go only so far in improving security in an organization. “HIPAA, which has been around for a long time, has improved the state of data record security and has enabled better privacy practices. So I believe it has worked in part,” he says. “But I also think that a lot of these organizations that could go beyond compliance, and use the resources to do it, are probably not going to make the investments. They are going to look for things to get them to just barely to the requirement. That almost diminishes your security mission, because you are focusing on the wrong things.”