Healthcare data breaches on the rise, with potential $7B price tag

By Erin McCann
09:36 AM

A new report shedding light on the challenges data breaches pose for the healthcare industry finds that the annual number of breaches continues to trend upward, and also could come with a nearly $7 billion price tag.

Conducted by privacy research firm Ponemon Institute, the third annual "Benchmark Study on Patient Privacy and Data Security," examines the fiscal and economic consequences of data breaches in conjunction with up-and-coming security trends, such as those relating to mobile devices. 

Among the most compelling findings outlined in the report is data showing that breaches are, indeed, increasing. Some 94 percent of hospitals have experienced data breaches over the past two years, with medical files, billing and insurance records accounting for the majority of them.

But what's even more striking, say Ponemon officials, is that nearly half of hospitals (45 percent) have seen more than five data breaches at their organization – this in comparison to the 29 percent that had more than five data breaches in 2010.

The financial consequences of industry data breaches are also glaring. Researchers estimated the average economic impact of healthcare data breaches represented in the report at $2.4 million – up $400,000 from 2010's study.

The 2012 annual financial impact, the researchers say, is much more alarming.

"It cost the U.S. healthcare industry $6.87 billion to respond to these breaches," says Rick Kam, president and co-founder of ID Experts. "To put that into context, last year we talked about the fact that the U.S. federal government invested $6 billion, roughly, to cancer research, to basically eradicate cancer. Well, we're spending more on data breaches to respond to them than on cancer research."

Moreover, the top causes for data breaches, officials say, are completely and entirely avoidable, with loss of equipment accounting for 46 percent and employee errors at 42 percent. Criminal attacks (33 percent) and technology glitches (31 percent) were also commonly reported by hospitals.

Although desktops and laptop computers continue to account for the majority of stolen or lost devices, mobile technologies are on a steep incline. "What we also found that is kind of interesting is that the major source of data breaches on lost or stolen devices, and definitely on the rise, are tablets," said Larry Ponemon, chairman and co-founder of Ponemon Institute. "Last year tablets represented about 7 percent of all lost or stolen devices; this year, it's 18 percent, so it's more than double."

Other report findings include:

BYOD: A striking 81 percent of healthcare providers allow employees to use their own mobile devices to connect to the hospital network. More than half of employees take part in the “bring your own device” movement.

Health information exchanges (HIEs): Only 28 percent of organizations interviewed indicated they were part of an HIE, with more than half expressing reservations pertaining to patient privacy and security with HIEs.

To stay on the offensive, the Ponemon Institute outlines several recommendations to help healthcare organizations avoid a breach.

First, Kam says, "These individuals who are responsible for protecting this information really need to reorient themselves." Instead of subscribing to the thought process that these breaches only occur "once in a blue moon," officials need to understand that they occur daily. "All of their processes, their systems, their tools … all of these things need to be updated, and the appropriate processes and procedures need to be put in place," Kam adds.

Kam also advises organizations to have annual privacy and security assessments. “This is required by law every year, and very few organizations, unfortunately, do this," he says.

"A lot of organizations in healthcare, historically, have been laggards on security enabling technologies. The gap may be changing. We're seeing more and more organizations in healthcare stepping up to the plate," says Ponemon. "For the most part, we've seen a lot of organizations being somewhat careless. Not having tools that are relatively inexpensive to safeguard sensitive data, that just seems to be not a smart idea."