Healthcare Data In Critical Condition

A new report taking the pulse of the healthcare industry finds that data breaches have jumped more than 30 percent and could be costing the industry an average of $6.5 billion annually.

The new Ponemon Institute "2011 Benchmark Study on Patient Privacy and Data Security," commissioned by IDExperts, found that employee error is one of the main reasons for data breaches in hospitals and healthcare providers. Hospitals and healthcare providers suffered an average of four data breaches in the past year, according to the report.

But the jump in breaches is, in part, due to better detection capabilities by healthcare organizations, says Larry Ponemon, chairman and founder of the Ponemon Institute. "It was not too surprising that the rate of data loss increased … [But] we think that finding may not be as negative as it appears, and could be a discovery-rate increase with more control and governance practices and use of enabling technologies."

Another big factor in data loss, however, is the explosion in mobile devices in the healthcare field. Some 80 percent employ these devices for gathering, transmitting, and storing patient information, but half are not securing them. While these devices help patient care, they also pose a major risk of exposure for the patient's health and other personal information, Ponemon says.

"With all of the focus around HIPAA and HITECH [Act] and security, it surprised me to see these organizations would allow the deployment of those devices [unsecured]," says Rick Kam, president of ID Experts. "It's like people driving the Indy 500 without seatbelts."

Among the top reasons for breaches: nearly half were stolen or lost computing or data devices, and 46 percent, due to third-party provider mistakes. Another problem is knowing just where patient data resides: Sixty-one percent say they are "not confident" they know where all patient data is being stored. More than half aren't sure they can detect incidents of data exposure.

More than 80 percent of hospitals have written policies for data breach reporting, but nearly 60 percent say the policies are ineffective. More than 40 percent say administrative employees are least cognizant of the need for protecting patient information.

Nearly 30 percent say the breaches they suffered resulted in medical identity theft -- a more than 25 percent increase over 2010.

A full copy of the report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.