The frequency of data breaches in healthcare organizations has increased by 32 percent, with hospitals and healthcare providers averaging four data breaches, according to the Ponemon Institute.
Employee negligence is the primary culprit. According to 41 percent of healthcare organizations surveyed, data breaches involving protected health information (PHI) are caused by sloppy employee mistakes. To compound the problem, half of respondents do nothing to protect mobile devices that are in use in 80 percent of healthcare organizations.
Based on the experience of the healthcare organizations surveyed, data breaches could be costing the U.S. healthcare industry an estimated $4.2 billion to $8.1 billion annually—an average of $6.5 billion—enough to hire more than 81,000 registered nurses nationwide or fund 216 million flu vaccinations.
Data breaches at hospitals and healthcare providers are rising, due to employee mistakes
Data breaches represent a 32 percent increase, with compromised patient records in benchmarked organizations increasing an average of 46 percent. According to the research, 55 percent of healthcare organizations say they have little or no confidence they are able to detect all privacy incidents. In fact, 61 percent of organizations are not confident they know where their patient data is physically located. Third-party mistakes, including business associates (BAs), account for 46 percent of data breaches reported in the study. According to 49 percent of respondents, lost or stolen computing or data devices are the reason for healthcare data breach incidents.
Widespread use of unsecured mobile devices is at the core of hospital data breaches
More than 80 percent of healthcare organizations use mobile devices that collect, store and/or transmit some form of PHI. Yet, half of all respondents do nothing to protect these devices.
Federal regulations and policies are not reducing data breaches
Only 22 percent of organizations say their budgets are sufficient to minimize data breaches. 83 percent of hospitals have clearly written policies and procedures to notify authorities of a data breach, but 57 percent don’t believe their policies are effective. The research indicates that the closer the personnel are to the data—such as billing and IT— the higher the probability of not following policies and procedures. 42 percent of respondents say administrative personnel in their organizations do not understand the importance of protecting patient data.
More healthcare providers say data breaches are leading to medical identity theft
29 percent of respondents say their data breaches led to cases of medical identity theft. This represents a 26 percent increase compared to 2010. 90 percent of organizations say data breaches cause harm to patients, yet only 25 percent offer basic monitoring services following a breach. 35 percent of healthcare breaches are discovered by a patient complaint.
Data breaches are likely to increase, given lack of resources
73 percent of respondents reported lacking sufficient resources to prevent or detect unauthorized patient data access, loss or theft. 53 percent of organizations cite lack of budget as their biggest weakness in preventing data breaches. The increased use of outside resources and business associates—associated with the downsizing of hospital staff—is having a direct impact on privacy and security. 69 percent of organizations say that they have little or no confidence in business associates ability to secure patient data.
“Healthcare data beaches are an epidemic,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “These problems are a direct result of our national economy. Healthcare organizations—especially not-for-profit hospitals and small clinics—have thin margins, are trimming staff and resources and are lacking sufficient security and privacy budgets needed to adequately protect patients. I don’t see this getting better anytime soon.”
The complete study is available here (registration required).