Data breaches continue to climb
$7 billion caveat to industryTRAVERSE CITY, MI | January 30, 2013From the February 2013 print issue
Healthcare data breach numbers not only continue to trend upwards but they are also costing the industry a pretty penny, according to a recent report conducted by privacy research firm Ponemon Institute.
Currently, that polished, copper penny is valued at nearly $7 billion annually. That's more money than the healthcare industry spends on cancer research each year.
"It cost the U.S. healthcare industry $6.87 billion to respond to these breaches," said Rick Kam, president and co-founder of ID Experts. "To put that into context, last year we talked about the fact that the U.S. federal government invested $6 billion, roughly, for cancer research, to basically eradicate cancer. Well, we're spending more on data breaches - to respond to them - than on cancer research."
Additional findings in the Institute's third annual patient privacy report are also glaring. For instance, researchers pegged the average economic impact of these data breaches for organizations at $2.4 million - up $400,000 from 2010's study.
The report also examined the fiscal and economic consequences of data breaches in conjunction with up-and-coming security trends, such as those relating to mobile devices.
Among the most compelling findings outlined in the report is data highlighting the fact that breaches are indeed increasing. Some 94 percent of hospitals have experienced data breaches over the past two years, with medical files, billing and insurance records accounting for the majority of them.
But what's even more striking, say Ponemon officials, is that nearly half of hospitals (45 percent) have seen more than five data breaches at their organization - this in comparison to the 29 percent that had more than five data breaches in 2010.
Moreover, the top causes for data breaches, officials say, are completely and entirely avoidable, with loss of equipment accounting for 46 percent and employee errors at 42 percent. Criminal attacks (33 percent) and technology glitches (31 percent) were also commonly reported by hospitals.
Although desktops and laptop computers continue to account for the majority of stolen or lost devices, mobile technologies are on a steep incline. "What we also found that is kind of interesting is that the major source of data breaches on lost or stolen devices, and definitely on the rise, are tablets," said Larry Ponemon, chairman and co-founder of Ponemon Institute. "Last year tablets represented about 7 percent of all lost or stolen devices; this year, it's 18 percent, so it's more than double."
Robert Belfort, partner at tier 1 healthcare law firm Manatt, Phelps & Phillips in New York, said seeing as lost and stolen devices account for the lion's share of industry data breaches, the easiest solution is to encrypt all portable devices. "Under the breach notification rule, if the information is encrypted in accordance with HHS standards, it's not considered a breach, and notification isn't required," Belfort said. "That one step alone, I think, would eliminate a significant portion of breaches that are occurring right now."