Curbing data breaches is still an unachieved target for the healthcare industry, according to two reports published by the Ponemon Institute and the Health Information Trust Alliance last week. In their third annual study on patient privacy and data security, Ponemon’s Institute determined that almost 94 percent of the 80 healthcare organizations that participated in the study experienced at least one data breach incident in the past two years. Out of this, 45 percent said that they had experienced more than 5 such incidents during this period.
Moreover, 54 percent of the participants said that they had very little confidence in their ability to detect information security breaches. What’s more noteworthy is that these data breach incidents cost healthcare entities $6.78 billion annually. Ponemon estimated in the survey that for organizations dealing with breaches, the average economic impact was $2.4 million over a two-year period, compared to $2.2 million in 2011 and $2.1 million in 2010.
Larry Ponemon, Chairman and Founder of Traverse City, a Michigan-based privacy research organization said that it is quite likely that many organizations have had multiple data breaches, but did not have the means or resources to know or report about them. He also said that a more disturbing aspect of the findings is that such data breaches may be happening every day, but are not a priority to leaders in the industry, and that the level of concern and cautiousness shown in other industries like banking, seem to be missing here.
Similarly, the second report, published by HITRUST found that there were 495 breaches involving 21 million records since 2009, which has roughly cost $4 billion. Out of these, 80 breach incidents have taken place this year alone that have impacted more than 500 individuals. However, according to this report, the total number of breaches has come down since 2009, which may be attributed to the implementation of the breach notification rule in September 2009. The HITRUST study found that 70 percent of the breaches were electronic, and 96 percent of the breached records were in an electronic format. The study also revealed that smaller physician practices with 100 or lesser number of employees account for more than 60 percent of the breach incidents.
Findings from both the studies clearly reinforce the need for healthcare entities prioritize on identifying and implementing methods to detect and prevent breaches. Hence, both HITRUST and Ponemon Institute recommend accelerating encryption efforts and including business associates in security-related initiatives. Some other recommended preventive measures include implementing mobile device management software that can help administer security controls, using an intrusion detection system that can curb security attacks at the right time, and improving employee training in matters of data privacy and security.
With increasing use of personal mobile devices by employees, and digitization and sharing of patient data, preventing data breaches is now a bigger challenge for organizations. Healthcare entities should therefore give top priority to data security in the coming year, and should adopt a comprehensive data security solution like SecureGRC that can help detect and prevent data breaches at the right time.