Topics
More on Policy and Legislation

Ponemon study says data breaches cost U.S. healthcare $6.5B annually

The frequency of data breaches in healthcare have increased 32 percent in the past year and cost the industry an estimated $6.5 billion annually according to the second annual benchmarking study conducted by the Ponemon Institute.

Among the chief culprits responsible for data security breaches were sloppy employee handling of data and the ever-increasing use of mobile devices in the healthcare setting. Forty-one percent of healthcare executive surveyed attributed data breaches related to protected health information (PHI) to employee mistakes, while half of the respondents said their organization does nothing to protect the information contained on mobile devices. In all, 80 percent of healthcare organizations use mobile devices that collect, store and/or transmit some form of PHI.

[See also: 47 community health centers receive $13.2M for HIT.]

While total data breaches are up 32 percent, the increases in some areas was even higher. Compromised patient records in benchmarked organizations increased an average of 46 percent and 55 percent of healthcare organizations say they have little or no confidence they are able to detect all privacy incidents. In fact, 61 percent of organizations are not confident they know where their patient data is physically located.

Third-party mistakes, including those by business associates, account for 46 percent of data breaches reported in the study. According to 49 percent of respondents, lost or stolen computing or data devices are the reason for healthcare data breach incidents.

As data breaches become an increasing problem in health, there is little evidence that providers have the appropriate resources to stem the tide. Seventy-three percent of respondents reported lacking sufficient resources to prevent or detect unauthorized patient data access, loss or theft and 53 percent said lack of budget is their biggest weakness in preventing data breaches.

"Healthcare data beaches are an epidemic," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute, in an announcement of the study results. "These problems are a direct result of our national economy. Healthcare organizations – especially not-for-profit hospitals and small clinics – have thin margins, are trimming staff and resources and are lacking sufficient security and privacy budgets needed to adequately protect patients. I don't see this getting better anytime soon."

Rick Kam, president and co-founder of study sponsor ID Experts, said healthcare organizations can minimize their data breach risks with three basic steps:

  1. Take an inventory of PHI/PII. An inventory provides a complete accounting of every element of personally identifiable information (PII) and PHI that an organization holds, in either paper or electronic format. It helps determine how an organization collects, uses, stores and disposes of its PHI. A PHI inventory reveals the risks for a data breach, so organizations can strategically protect PHI data and best plan for a response based on real information.
  2. Develop an Incident Response Plan (IRP). An IRP is an effective, cost-efficient means for helping organizations meet HIPAA and HITECH requirements and develop guidelines related to data breach incidents. The IRP designates roles and provides guidelines for the response team's responsibilities and actions.
  3. Review contracts and agreements with business associates. Business associates are a growing cause of data breaches. These contracts between healthcare organizations and business associates authorize and define business associates' use of the PHI they share with healthcare providers. Keeping these contracts up-to-date demonstrates compliance to regulators and helps maintain consistency in how PHI is managed in a healthcare ecosystem.

"Identity theft and medical identity theft resulting from data breach exposure are commonplace, causing patients financial harm, frustration and embarrassment," said Kam, in a press release. "Hospitals must vaccinate against data breach risks in order to take better care of patients and their data."