Data breaches are a large and costly threat for healthcare providers, which so far have been unable to cope with existing and new challenges of securing patient data. That’s a key finding of the Third Annual Benchmark Study on Patient Privacy & Data Security, released by the Traverse City, Mich.-based Ponemon Institute and sponsored by ID Experts, Portland, Ore.
The survey presents findings based on self-reported benchmark survey returns from 80 organizations, including hospitals and clinics that are part of a healthcare network (46 percent), integrated health delivery systems (36 percent), and standalone hospitals or clinics (19 percent). The survey results are skewed to larger organizations, and exclude very small provider organizations including local clinics and medical practitioners. The survey methods targeted individuals who are currently involved in data protection, security, privacy, or compliance.
The study found that data breaches are pervasive, with 94 percent of the organizations having suffered at least one data breach, and 45 percent having experienced more than five data breaches, during the last two years. Estimated costs for the U.S. healthcare industry are estimated at nearly $7 billion annually, based on the information supplied by the respondent organizations.
Fifty-four percent of the respondents said they had little or no confidencs that they can detect all patient data or theft. Overall data breaches are growing,” says Larry Ponemon, Ph.D., chairman and founder of the Ponemon Institute, who adds that, at least in the healthcare industry, people are somewhat fatalistic, with the perception that they can’t get their arms around the problem completely. “I’m not saying they are giving up, but they are not confident they can deal with these threats,” he says.
A Widespread and Costly Problem
According to the report, the percentage of organizations that have experienced a data breach has increased since the survey was first conducted in 2010, and there are also more organizations reporting multiple data breaches. The economic impact of one or more data breaches of responding organizations ranges from $10,000 to more than $1 million over a two-year period; and the average economic impact of data breaches over the past two years is $2.4 million, an increase of almost $400,000—about 15 percent—since the study was first done in 2010. Data breaches costing more than $500,000 have increased from 48 percent of healthcare organizations participating in the study in 2010 to 57 percent in this year’s study.
While the size of some breaches is small, provider organizations should not be complacent, because even a small data breach can be indicative of a larger problem, cautions Ponemon. “The fact that there is leakage of data is like a ship that starts to leak—sooner or later it sinks,” he says.
Insider negligence is at the root cause of data breaches, with the primary cause of breaches in the study being lost or stolen computing devices (46 percent), followed by employee mistakes or unintentional actions (42 percent), and third-party snafus (42 percent). Not all causes have been benign: there has also been a large jump in criminal attacks, from 20 percent in 2010 to 33 percent this year.
Medical files and insurance records are the types of information most often lost or stolen, and 70 percent say that protected health information (PHI) is at increased risk, followed by financial identity (61 percent) and medical identity theft (59 percent). More than half (52 percent) of respondents say their organizations had one or more incidents involving medical identity theft. While only 18 percent said the theft was the result of a data breach, another 32 percent were unsure—partly because only a third of respondents said their organizations have sufficient controls in place to detect medical identity theft.
“We are very interested in medical identity theft; it’s a big issue that is on the rise,” Ponemon says. “Hospitals have detected this as an emerging threat.”
Larry Ponemon, Ph.D.
On the other hand, respondents are somewhat more confident that patient billing information is susceptible to data loss or theft this year (29 percent said billing information is at risk compared to the year before (39 percent). Similarly, the susceptibility of patient medical records declined from 25 percent of respondents who believed that this type of information was most at risk in 2011 to 15 percent who believed so this year. This is in contrast to a much higher percentage of respondents who believed that employee records have become more susceptible to data loss or theft (an increase from 9 percent in 2011 to 21 percent this year).
Coping with Technology Trends
The rising trends of mobility and employee use of their own devices at work are posing challenges to CIOs. Eighty-one percent of organizations permit their employees and medical staff to use their own medical devices, such as smartphones and tablet computers, to connect with the organizations’ networks or enterprise systems. On average a little over half (51 percent) of employees bring their devices to the facility, yet 46 percent of respondents say their organizations do not do anything to secure the devices. “We were shocked by that,” Ponemon says, noting that 54 percent of respondents are not confident that the personally-owned mobile devices are secure. This year, 18 percent of respondents said a breach occurred due to lost or stolen mobile devices, more than double last year’s number (7 percent).