Health data breaches cost $6.5B annually
The number of reported data security breaches in healthcare organizations increased 32 percent from 2010 to 2011, and, on average, there were four breaches per healthcare provider this year, according to the Ponemon Institute's second annual survey on the topic.
The mean cost of these breaches to healthcare organizations was $2.2 million, up 10 percent from last year. In addition, respondents reported that security breaches reduced productivity, caused a loss of goodwill, and contributed to patient churn. Twenty-nine percent of providers said that data breaches had resulted in medical identity theft.
Based on the survey responses, Ponemon estimates that data security breaches cost the U.S. healthcare industry about $6.5 billion a year.
The biggest reasons for data breaches were lost or stolen computing devices, third party snafus and unintentional employee actions. Forty-one percent of respondents said that data was compromised because of sloppy employee mistakes. But the rapidly growing use of mobile devices also contributed to the problem. While 80 percent of healthcare organizations use mobile devices to collect, store or transfer patient information, nearly half the respondents said they were doing nothing to protect those devices from unauthorized use.
The sharing of data with business associates was another big problem. Forty-six percent of the security breaches involved third parties, including business associates.
Fifty-five percent of respondents said they had no or little confidence that their organizations could detect all patient privacy incidents. In fact, 61 percent of organizations are not confident they know where their patient data is physically located.
Recent federal regulations have placed an increased emphasis on the need to protect patient privacy and safeguard personal health information (PHI). Nevertheless, the Ponemon survey found, only 29 percent of respondents said that protection of PHI is a high priority in their organization. On the positive side, 47 percent said their organizations have "sufficient policies that effectively prevent or quickly detect unauthorized patient data access, loss or theft." Last year, in contrast, only 41 percent of respondents agreed with that statement.
While the percentage of respondents that had electronic health records increased from 2010 to 2011, perceptions that those systems enhanced security dropped from 74 percent to 67 percent of respondents. Nineteen percent of providers in this year's study said EHRs made no difference in security, compared to 12 percent last year.