December 10, 2012
Data breaches plague the vast majority of health care providers, with 94 percent of health organizations reporting at least one breach of patient information in the past two years, a new survey shows.
In addition, 45 percent of 80 organizations that responded to the Ponemon Institute Patient Privacy & Data Security survey reported more than five data breaches during the same two-year period. Slightly more than half of the organizations said the compromised information involved medical identity, with a quarter of those saying the theft affected a patient’s medical treatment.
More than half of the organizations said they have little or no confidence in their ability to detect all breaches, according to a news release. Data breaches cost the U.S. health-care industry an average of $7 billion per year, or $1.2 million per organization, the study finds.
Most of the breaches resulted from lost electronic devices, employees’ mistakes, technology glitches, third-party errors and criminal attacks. The survey also found that 69 percent of surveyed organizations do not secure devices such as insulin pumps that hold protected health information.
The risks will increase with the growing use of mobile and cloud technologies, the study concludes.
For example, 81 percent of the organizations surveyed allow employees to use their own mobile devices, but 54 percent can’t guarantee the security of those devices. And while 91 percent of hospitals in the survey use cloud-based services, 47 percent are unsure that the cloud data are secure.
Nearly three out of four hospitals surveyed said they don’t have the resources to detect or prevent data breaches.
“Clearly, in order for the trend to shift, organizations need to commit to this problem and make significant changes,” said Rick Kam, president and co-founder of Portland, Ore.-based ID Experts, which sponsored the study. “Otherwise, as the data indicates, they will be functioning in continual operational disruption.”
The Ponemon Institute conducts independent research on data privacy and information security.
December 10, 2012