Although many healthcare organizations are making progress in their efforts to create an infrastructure to stop data breaches, a new study by the Ponemon Institute LLC found that the frequency of reported data breaches among organizations in its study increased 32 percent from the previous year. Unsecured mobile devices are a key point of vulnerability, the study found.
Ponemon, which surveyed 72 healthcare organizations in the fall of 2011, also estimated that on average data breaches cost these benchmarked organizations more than $2.2 million, which represents an increase of more than $180,000 from its fall 2010 study.
“There are at least three reasons why the number of reported breaches is going up,” said Larry Ponemon, Ph.D., chairman and founder of the Ponemon Institute in Traverse City, Mich. First, the greater regulatory requirements for disclosure are making organizations more self-aware and better at reporting the breaches that do occur. Second, the industry-wide shift from paper to electronic introduces some chaos during the transition, which leads to data leakage. Finally, he said, cybercriminals are targeting patient data more frequently.
The top cause cited for data breaches remains lost or stolen computing devices, and the survey also identified unsecured mobile devices as a problem area. More than 80 percent of respondents said their organizations use mobile devices that may collect, store and/or transmit protected health information, yet 49 percent said their organizations don’t do anything to protect these mobile devices, and 46 percent depend upon policies and governance. Only 23 percent use encryption to safeguard patient data. Only 15 percent are very confident and 23 percent are somewhat confident that patient data is protected from being accessed via mobile devices. “There are ways to secure them, but providers say it makes them less convenient if you have strong security settings,” Ponemon said. “But for a relatively small cost, encryption and anti-theft solutions make a lot of sense. These are not free resources, but when healthcare organizations feel enough pain from breaches, they will do it.”
Respondents also said third-party actions are the second most common source of breaches, followed by unintentional employee actions.
“The best way to address third-party snafus is to adopt your business associates and contractors,” said Rick Kam, president of Portland, Ore.-based consulting firm ID Experts, which sponsored the survey. “Make clearer who is responsible for what PHI, and get them involved in your enterprise incident response planning system.”
Here are a few other key findings from the study:
• Employees are most often the group to detect the data breach (51 percent) followed by 43 percent who say it was through audit/assessment and 35 percent say it was as a result of a patient complaint.
• The average time to notify data breach victims is approximately seven weeks. Eighty-three percent of respondents believe it is critical to notify victims as soon as possible.
• Perceptions that EHR systems create more security decreased from 74 percent in last year’s study to 67 percent of respondents this year. A higher percentage (19 percent vs. 12 percent) of respondents in this year’s study say EHR has made no difference in the security of patient data.