Top Healthcare Breaches And The Rising Costs To Organizations

Inadequate Security Funding Results In Costly Breaches

Healthcare organizations often have to choose between spending on security or patient care, and funds nearly always end up going towards new equipment, according to security experts. The consequences of poor security controls and failing to protect patient healthcare data are costly data breaches, which have steadily increased since 2010, according to the Third Annual Benchmark Study on Patient Privacy and Data Security, issued recently by the Ponemon Institute and sponsored by Portland, Ore.-based ID Experts. The study analyzed 80 healthcare organizations, which included hospitals, clinics and integrated delivery systems, interviewing professionals who work in security, administrative, privacy, compliance, finance and clinical.

Continue on to find out not only which healthcare security issues are most affecting healthcare organizations but also just how costly they can be.

Multiple Data Breaches Fueling Rising Costs

Nearly all of the healthcare organizations interviewed by the Ponemon Institute indicated they had at least one data breach in the past two years. The research firm said 45 percent have had more than five incidents. Ponemon estimates that the average economic impact of data breaches over the past two years for the healthcare organizations represented in this study totaled $2.4 million. Breaches costing more than $500,000 made up 57 percent of the healthcare organizations in the study.

Healthcare Data Protection Failures

Medical files and billing and insurance records are the most likely to be lost or stolen, according to the Ponemon study findings. Lost or stolen payment details increased significantly, according to the study, rising from 17 percent in 2011 to 24 percent in 2012. Security experts point out that much of the data is being outsourced to third-party providers, among which security lapses are more common. The U.S. Department of Health and Human Services (HHS) attempted to address the issue this month, finalizing long-awaited modifications to the Health Insurance Portability and Accountability Act of 1996 and extending the HIPAA privacy rules to subcontractors.

Average Cost Per Stolen Record

According to Ponemon's study, of the 80 organizations analyzed, there was an average of 2,769 lost or stolen records per breach. Ponemon estimates the average cost per one lost or stolen record is $194. "Only one data breach could have an economic impact of about $537,186," the firm said. Larry Ponemon, founder and president of the Ponemon Institute, said the average cost to the healthcare industry could potentially be as high as $7 billion annually.

Healthcare Data Breach Root Causes

Insider negligence was the biggest cause of data breaches among the 80 firms studied by Ponemon. Lost or stolen smartphones and tablets were a major problem, followed by employees exposing data unintentionally. Breaches tied to third-party service providers also contributed to a large portion of data breaches. Eighty-one percent of organizations permit BYOD, allowing employees and medical staff to connect their mobile devices to networks or enterprise systems such as email. Ponemon also found that a major challenge for IT security is the increase in criminal attacks, which has risen from 20 percent in 2010 to 33 percent in 2012.

Confidence Growing But Resources Still Limited

The Ponemon study found that the level of confidence of organizations to prevent and detect a data breach has been steadily rising. Processes are being improved, and more policies and procedures are in place, mainly driven by HIPAA compliance initiatives. Ponemon said that 36 percent of the firms indicated that HIPAA audits and fines have affected changes in their organizations' patient data privacy and security programs. But, Ponemon found a shortage of technologies, funding and security expertise at many organizations. Only 27 percent of organizations in the study said they have sufficient resources, and 34 percent said they have a sufficient security budget.