Healthcare data breach numbers not only continue to trend upwards but they are also costing the industry a pretty penny, according to a recent report conducted by privacy research firm Ponemon Institute.
Currently, that polished, copper penny is valued at nearly $7 billion annually. That's more money than the healthcare industry spends on cancer research each year.
"It cost the U.S. healthcare industry $6.87 billion to respond to these breaches," said Rick Kam, president and co-founder of ID Experts. "To put that into context, last year we talked about the fact that the U.S. federal government invested $6 billion, roughly, for cancer research, to basically eradicate cancer. Well, we're spending more on data breaches - to respond to them - than on cancer research."
Additional findings in the Institute's third annual patient privacy report are also glaring. For instance, researchers pegged the average economic impact of these data breaches for organizations at $2.4 million - up $400,000 from 2010's study.
The report also examined the fiscal and economic consequences of data breaches in conjunction with up-and-coming security trends, such as those relating to mobile devices.
Among the most compelling findings outlined in the report is data highlighting the fact that breaches are indeed increasing. Some 94 percent of hospitals have experienced data breaches over the past two years, with medical files, billing and insurance records accounting for the majority of them.
But what's even more striking, say Ponemon officials, is that nearly half of hospitals (45 percent) have seen more than five data breaches at their organization - this in comparison to the 29 percent that had more than five data breaches in 2010.
Moreover, the top causes for data breaches, officials say, are completely and entirely avoidable, with loss of equipment accounting for 46 percent and employee errors at 42 percent. Criminal attacks (33 percent) and technology glitches (31 percent) were also commonly reported by hospitals.
Although desktops and laptop computers continue to account for the majority of stolen or lost devices, mobile technologies are on a steep incline. "What we also found that is kind of interesting is that the major source of data breaches on lost or stolen devices, and definitely on the rise, are tablets," said Larry Ponemon, chairman and co-founder of Ponemon Institute. "Last year tablets represented about 7 percent of all lost or stolen devices; this year, it's 18 percent, so it's more than double."
Robert Belfort, partner at tier 1 healthcare law firm Manatt, Phelps & Phillips in New York, said seeing as lost and stolen devices account for the lion's share of industry data breaches, the easiest solution is to encrypt all portable devices. "Under the breach notification rule, if the information is encrypted in accordance with HHS standards, it's not considered a breach, and notification isn't required," Belfort said. "That one step alone, I think, would eliminate a significant portion of breaches that are occurring right now."
Belfort added that training is also imperative. "You can have a policy saying you need to encrypt, but if the employees don't know about the policies or don't take it seriously, that's not going to be helpful." He cited a couple cases he had recently where companies had policies that required encryption and employees put information on CDs or thumb drives that weren't encrypted and were ultimately lost - a required breach notification.
Other report findings include:
- BYOD: A striking 81 percent of healthcare providers allow employees to use their own mobile devices to connect to the hospital network. More than half of employees take part in the "bring your own device" movement.
- Health information exchanges (HIEs): Only 28 percent of organizations interviewed indicated they were part of an HIE, with more than half expressing reservations pertaining to patient privacy and security with HIEs.
To stay on the offensive, the Ponemon Institute outlined several recommendations to help healthcare organizations avoid a breach.
First, Kam said, "These individuals who are responsible for protecting this information really need to reorient themselves." Instead of subscribing to the thought process that these breaches only occur "once in a blue moon," officials need to understand that they occur daily. "All of their processes, their systems, their tools ... all of these things need to be updated, and the appropriate processes and procedures need to be put in place," Kam added.
Kam also advises organizations to have annual privacy and security assessments. "This is required by law every year, and very few organizations, unfortunately, do this," he said.
"A lot of organizations in healthcare, historically, have been laggards on security enabling technologies. The gap may be changing. We're seeing more and more organizations in healthcare stepping up to the plate," said Ponemon. "For the most part, we've seen a lot of organizations being somewhat careless. Not having tools that are relatively inexpensive to safeguard sensitive data, that just seems to be not a smart idea."
