A new MeriTalk report, based on a survey of healthcare IT executives and underwritten by EMC, quantifies the organizational cost associated with security breaches, data loss, and unplanned outages for healthcare providers, at more than $1.6B a year.
Health information is often a target for malicious activity and 61 percent of global healthcare organizations surveyed have experienced a security related incident in the form of a security breach, data loss, or unplanned downtime at least once in the past 12 months.
Security breaches: Nearly one in five (19 percent) global healthcare organizations has experienced a security breach in the last 12 months at a cost of $810,189 per incident. Health IT executives say the most common causes for breaches include malware and viruses (58 percent); outsider attacks (42 percent); physical security – loss/theft of equipment (38 percent); and user error (35 percent).
Data loss: Nearly one in three (28 percent) global healthcare organizations has experienced data loss in the past 12 months at a total cost of $807,571 per incident. And, of those, more than a third (39 percent) have experienced 5 or more incidences of data loss in the past 12 months. Common causes of data loss include hardware failure (51 percent); loss of power (49 percent); and loss of backup power (27 percent).
Unplanned outages: Almost two out of five (40 percent) global healthcare organizations have experienced an unplanned outage in the past 12 months at a cost of $432,000 per incident. On average, healthcare organizations have lost 57 hours to unplanned downtime over the past 12 months. The most common causes of outages include hardware failure (65 percent); loss of power (49 percent); software failure (31 percent); and data corruption (24 percent).
Providers acknowledge there is more work to be done. Less than one-in-three respondents (27 percent) believe their organization is fully prepared to ensure continuous availability of ePHI during unplanned outages, disaster recovery, or emergency mode operations. And, once an emergency has passed, only 50 percent of respondents are confident in their organization’s ability to restore 100 percent of the data required by SLAs. More than half (56 percent) would need eight hours or more to restore 100 percent of the data. The majority – 82 percent – say their technology infrastructure is not fully prepared for a disaster recovery incident.
Recognizing the importance of trusted IT solutions, organizations plan to focus on encryption of protected health information (55 percent); complying with the security risk analysis EMR Meaningful Use requirements (54 percent); and breach prevention and detection (44 percent).
“Healthcare organizations are making significant IT investments to transform IT infrastructure and ensure that patient information is secure, protected, and highly available,” says Scott Filion, General Manager, Global Healthcare, EMC Corporation. “Trust has become a board-level business priority. Healthcare organizations have always focused on information security, but today they must do more to protect data and ensure accessibility to meet ARRA HITECH HIPPA requirements.”
Of the healthcare organizations who are not currently offering a particular IT capability “as a service,” half plan to do so within the next five years. Many are taking key steps to prepare – including:
- HIPAA Security Risk Analysis as part of EMR Meaningful Use requirements 46%
- Single Sign On and authentication for Web-based applications and portals: 44%
- Audit tools and log management: 43%
- Encryption for protected health information: 42%
- Multi-factor authentication for remote access for clinical staff accessing networks (including ePHI) remotely: 35%
- Security analytics to help with breach prevention: 32%
- Centralized management and authenticated access to health information: 31%
- Data Loss Prevention to monitor the location and flow of sensitive data: 29%.