New Health Insurance Portability and Accountability Act (HIPAA) security and privacy regulations have resulted in an increase in the frequency of notifications about health care data breaches. Under the new regulations, providers face fines of as much as $50,000 for each breach.
But there are other concerns for providers -- and recent survey data from the Ponemon Institute LLC underscores the monetary and public relations costs of a health care data breach.
One survey calculated the cost of a data breach in actual dollars, and pointed to the importance of stringent security policies. The second showed the real but intangible costs in public opinion. Americans have little faith their health data will be protected, especially if the government gets involved. The silver lining? They do have a sense of what CIOs can do to ensure that patient information is less likely to be lost in a health care data breach.
Cost of a data breach higher for health care
In its annual survey on the financial cost of a data breach, Ponemon found that in 2009, it cost U.S. companies without a chief information security officer about $236 per compromised record, compared with $157 if the company had a CISO. On average, data breaches cost $204 per compromised record, a $2 increase from 2008.
Health care providers, however, aren’t average. They pay an average of $294 per compromised record to clean up the mess, and among the 15 industry categories in the survey, they also suffer the most customer churn (6%) following a data breach. (The other industries include media, energy, hotels, manufacturing and finance.)
The churn, or turnover rate, can be explained by several factors. For example, it’s easier to switch to a new health care provider than to a financial services company, which might hold a customer’s 401(k) account and mortgage.
Turnover also speaks to trust, and in more areas than just data. “It shows the negligence of an organization,” said Larry Ponemon, the institute’s CEO and founder. “Why would you want to deal with a health care provider who is not capable of controlling your records? Why would you trust them to do eye surgery, or why would you choose them to treat your illness? It changes the mind-set. It doesn’t mean that everybody leaves, but the lifetime value of that lost patient can be pretty expensive.”
Ponemon added that recent changes in reporting regulations -- as well as HIPAA security and privacy rules getting more teeth -- have also upped the ante for organizations with lax security. While the incidence of health care data breaches in general might not be rising, consumers are suddenly more aware of security issues and the risk of identity theft. This new awareness, coupled with stricter government rules for notification and remediation, is making providers more accountable for health care data breaches.
“A lot of the larger health care organizations … have implemented reasonable security safeguards as required by HIPAA, or just required by good business practices; but I think the notification issues have become more salient because of the potential fines the [Federal Trade Commission] can bring upon an organization if they are found to be grossly negligent in reporting,” Ponemon said. “Historically, even with HIPAA, a lot of health care organizations have not implemented state-of-the-art security.”
Many health care organizations -- insurers included -- have a ways to go in reaching current data security standards, Ponemon added, because they operated on such low profit margins for so many years that they did not make good decisions about investing in data security. In fact, some organizations put privacy policies and employee training programs in place but did not bother to invest in encryption software.
Those bad past decisions are haunting them now. Data thieves are targeting health care organizations because they find it easier to hack into customer information, which often includes such rich data as patient Social Security numbers in “that soft, gooey center” inside the security wrapper, as Ponemon put it. In the current regulatory climate, that adds up to problems that cost health care providers more to fix than it costs their industry peers, many of whom did invest in encryption.
Steps for keeping personal health information safe
Meanwhile, Ponemon’s other survey, Americans’ Opinions about Healthcare Privacy, suggested that, though Americans have little faith in their government to protect patient health information, the picture is rosier for health care providers.
Historically, even with HIPAA, a lot of health care organizations have not implemented state-of-the-art security.
Larry Ponemon, CEO, Ponemon Institute
Some 71% of the 883 respondents indicated that they trust providers to protect the privacy of their records, and 90% percent of the respondents believe all medical personnel treating them should have access to their personal health records.
These numbers might give hope to hospital CIOs charged with maintaining their patients’ data security. The results might also outline a CIO’s mission for attaining system interoperability, which would improve access to patient data across a facility and among health care providers.
That being said, CIOs have their work cut out for them if their goal is to maintain patient trust and avoid the abovementioned customer churn. When given a list of options, survey respondents outlined the most important strategies to protect their privacy and avoiding a health care data breach:
- 71% believe assigning control of the medical record to the individual patient would improve privacy.
- 56% believe stricter laws are needed to prevent government access without the consent of the individual.
- 54% believe stricter laws are needed to prevent private companies from accessing personal health information without proper consent.
While the consumers Ponemon surveyed may have some faith in health care providers to protect their data, and somewhat less faith in their government to do the same, the one party they don’t trust is corporate America. Only 9% of respondents indicated they wanted to give “business organizations that may wish to advise [them] of new products or services based on [their] health condition” access to their data, putting that preference dead last.
That’s even less than the 12% who indicated they would be comfortable giving their employer access to health data. That increases pressure on health care CIOs -- as if the financial implications outlined in the health care data-breach study weren’t enough -- to make sure they know everywhere their patient data is flowing.
Let us know what you think about the story; email Don Fluckinger, Features Writer.