News that millions of patient Social Security numbers were stolen recently from Community Health Systems Inc. computers should come as a surprise. Earlier this year, we published results from our Fourth Annual Benchmark Study on Patient Privacy and Data Security, and the headline result was this: Criminal attacks on healthcare systems have risen a startling 100 percent since we first conducted this study four years ago in 2010.
Many other findings were equally as sobering. Healthcare employees are fueling breach risks by increased use of their personal unsecured devices (smartphones, laptops and tablets). Business Associates—those that have access to PHI and work with healthcare organizations—are not yet in compliance with the HIPAA Final Rule.
Data breaches continue to cost some healthcare organizations millions of dollars every year.
While the cost can range from less than $10,000 to more than $1 million, we calculate that the average cost for the organizations represented in this year’s benchmark study is approximately $2 million over a two-year period. This is down from $2.4 million in last year’s report as well as from the $2.2 million reported in 2011 and $2.1 million in 2010. Based on the experience of the healthcare organizations in this benchmark study, we believe the potential cost to the healthcare industry could be as much as $5.6 billion annually.
The types of healthcare organizations participating in the study are hospitals or clinics that are part of a healthcare network (49 percent), integrated delivery systems (34 percent) and standalone hospital or clinic (17 percent). This year 91 healthcare organizations participated in this benchmark research and 388 interviews were conducted. All organizations in this research are subject to HIPAA as a covered entity. Most respondents interviewed work in compliance, IT, patient services and privacy.
Other key research findings:
The number of data breaches decreased slightly. Ninety percent of healthcare organizations in this study have had at least one data breach in the past two years. However, 38 percent report that they have had more than five incidents. This is a decline from last year’s report when 45 percent of organizations had more than 5. This coupled with an increase in organizations’ level of confidence in data breach detections suggests that modest improvements have been made in reducing threats to patient data.
Healthcare organizations improve ability to control data breach costs. The economic impact of one or more data breaches for healthcare organizations in this study ranges from less than $10,000 to more than $1 million over a two-year period. Based on the ranges reported by respondents, we calculated that the average economic impact of data breaches over the past two years for the healthcare organizations represented in this study is $2.0 million. This is a decrease of almost $400,000 or 17 percent since last year.
ACA increases risk to patient privacy and information security. Respondents in 69 percent of organizations represented believe the ACA significantly increases (36 percent) or increases (33 percent) risk to patient privacy and security. The primary concerns are insecure exchange of patient information between healthcare providers and government (75 percent of organizations), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent of organizations).
ACO participation increases data breach risks. Fifty-one percent of organizations say they are part of an Accountable Care Organization (ACO) and 66 percent say the risks to patient privacy and security due to the exchange of patient health information among participants has increased. When asked if their organization experienced changes in the number of unauthorized disclosure of PHI, 41 percent say it is too early to tell. Twenty-three percent say they noticed an increase.
Confidence in the security of Health Information Exchanges (HIEs) remains low. An HIE is defined as the mobilization of healthcare information electronically across organizations within a region, community or hospital system. The percentage of organizations joining HIEs increased only slightly. This year, 32 percent say they are members and this is up slightly from 28 percent last year. One-third of organizations say they do not plan to become a member. The primary reason could be that 72 percent of respondents say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data share on HIEs.
Criminal attacks on healthcare organizations increase 100 percent since 2010. Insider negligence continues to be at the root of most data breaches reported in this study but a major challenge for healthcare organizations is addressing the criminal threat. These types of attacks on sensitive data have increased 100 percent since the study was conducted in 2010 from 20 percent of organizations reporting criminal attacks to 40 percent of organizations in this year’s study.
Employee negligence is considered the biggest security risk. Seventy-five percent of organizations say employee negligence is their biggest worry followed by use of public cloud services (41 percent), mobile device insecurity (40 percent) and cyber attackers (39 percent).
BYOD usage continues to rise. Despite the concerns about employee negligence and the use of insecure mobile devices, 88 percent of organizations permit employees and medical staff to use their own mobile devices such as smart phones or tablets to connect to their organization’s networks or enterprise systems such as email. Similar to last year, more than half of organizations are not confident that the personally-owned mobile devices or BYOD are secure.