It’s that time of year again, where we look back at 2012 and assess the damage. Last week saw the release of the Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, sponsored by ID Experts. The report has some interesting findings about the state of healthcare patient privacy and frequency of data breaches.
Key Findings of the Research
- Data breaches in healthcare are growing.
Ninety-four percent of hospitals in this study suffered data breaches during the past two years. Information breached is largely medical files and billing and insurance records. According to the research, 54 percent of organizations have little or no confidence that they can detect all patient data loss or theft. Based on the experience of the 80 healthcare organizations participating in this research, the resulting cost to the U.S. healthcare industry could be $6.87 billion, up from 2011. The average impact of a data breach is $1.2 million per organization.
- Patients and their information are at risk for medical identity theft.
The causes of data breach cited were loss of equipment (46 percent), employee errors (42 percent), third-party snafu (42 percent), criminal attack (33 percent), and technology glitches (31 percent). More than half of healthcare organizations (52 percent) had cases of medical identity theft. Of the 52 percent of organizations that experienced medical identity theft, 39 percent say it resulted in inaccuracies in the patient’s medical record and 26 percent say it affected the patient’s medical treatment.
- Technology trends threaten current landscape.
Mobile devices in the workplace pose threats to patients’ PHI. Eighty-one percent of healthcare organizations permit employees to use their own mobile devices—commonly called Bring Your Own Device (BYOD)—often to access organization data. Yet 54 percent of organizations are not confident that these personally owned mobile devices are secure. Another technology threat gaining steam is cloud computing. Ninety-one percent of hospitals surveyed are using cloud-based services; many use cloud services to store patient records, patient billing information, and financial information. Yet, 47 percent of organizations lack confidence in the data security of the cloud.
- Organizations are taking steps to detect data breaches, but majority lack budget and resources.
This past year, 36 percent of healthcare organizations have made improvements in their privacy and security programs, in response to the threat of audits conducted by the U.S. Department of Health and Human Services Office for Civil Rights. While 48 percent of organizations are now conducing security risk assessments, only 16 percent are conducting privacy risk assessments. Yet, 73 percent still have insufficient resources to prevent and detect data breaches. And 67 percent of organizations don’t have controls to prevent and/or quickly detect medical identity theft.
You can download and read the full report here “Third Annual Benchmark Study on Patient Privacy & Data Security“