Health data breaches are costing the industry an estimated $6.5 billion annually -- enough to hire more than 81,000 registered nurses -- and the situation is unfortunately poised to get worse, according to a recent Ponemon Institute and ID Experts Corp. study.
"It looks like there will be more breaches, and bigger breaches, going forward," ID Experts President Rich Kam said, pointing to the recent TriCare and Sutter Health breaches -- which each affected more than 4 million patients and now face billion-dollar class action lawsuits.
The 2011 Benchmark Study on Patient Privacy and Data Security, now in its second year, found that health care organizations and their business associates are increasingly lax, if not sloppy, when it comes to personal health information (PHI) security.
All told, 96% of the study's 72 respondents had suffered a health care data breach in the last year, with lost or stolen computer hardware, third-party errors and unintentional employee action ranking among the major causes.
On average, each health data breach affected more than 2,500 patients and cost an institution more than $2.2 million to rectify. Both represent significant increases over the 2010 study.
Patient data privacy by the numbers
Key findings from the 2011 Benchmark Study on Patient Privacy and Data Security include the following:
- Organizations have averaged four health data breaches over the past two years.
- Nine in ten organizations feel that health data breaches cause harm to patients, but only one in four actually monitor breaches after they happen.
- Five in six respondents have written policies in place to notify authorities about a health data breach, but nearly three in five feel those policies are ineffective.
- About 57% of respondents have "little or no confidence" that their organization can detect all patient data loss, and nearly 70% said the same of their HIPAA business associates.
- Fewer than30% of organizations have adequate resources for preventing or detecting unauthorized patient data access, loss or theft.
- More than 40% of respondents said administrators in their organization don't fully understand the importance of health information security.
Larry Ponemon, Ph.D., chairman and founder of the Ponemon Institute, noted that health information security does not, and in fact may never, rank among the top priorities in an industry focused above all on providing patient care while also addressing financial turmoil and changing business practices.
This is especially true of mobile devices in health care. Roughly 80% of respondents are using them, but only about 25% are securing them with technology such as encryption, keypad locks or anti-virus software. Fewer than half even have policies to govern mobile device use.
The catch, of course, is that mobile health is "almost a fixture of health care," Ponemon said, pointing to mHealth's ability to improve efficiency and information access while negating the need for paper records. As Ponemon sees it, mobile device security, hitherto progressing less quickly than mobile device functionality, will soon catch up, to the point that smartphones are as secure as (admittedly not ironclad) laptops. As a result, health care organizations should not suppress mHealth efforts.
Collaboration, common sense key to preventing health data breaches
Organizations can take several steps to improve health information security, Kam said.
Basic tasks include taking an inventory of all PHI and personally identifiable information, developing an incident response plan and reviewing HIPAA business associate agreements. Business associates should be involved in all three steps, Kam added, as they can help covered entities conduct a HIPAA security risk analysis for PHI in transit and at rest. Plus, this involvement leaves business associates better informed about the safeguards spelled out in their agreements.
"This is a team sport," he said. "We need better collaboration."
In addition, Kam said, "Everything with PHI should be encrypted," to the point that it becomes as routine as washing with antibacterial soap before a medical procedure. This step is especially important for small health care practices that lack the resources to implement identity and access management or other security measures.
Rich Kampresident, ID Experts
Overall, the study concluded that organizations have gotten better at detecting and reporting health data breaches but still struggle to prevent them in the first place.
Part of this stems from an increasingly aggressive regulatory approach, as exemplified by the Office for Civil Rights' forthcoming random HIPAA compliance audits and calls from Sen. Al Franken (D-Minn.) for even tougher health data breach penalties. Part of this, too, is the nature of health care organizations as "information-rich ecosystems" where "you can't walk in without data flowing all around you," Ponemon said.
That information is simultaneously necessary for treatment but harmful if revealed -- and it points to a need for common sense. After all, Ponemon said, health information privacy and security are important, but they cannot supersede the need to save lives.
Let us know what you think about the story; email Brian Eastwood, Site Editor.