Data breaches are costing the health care industry an estimated $6.2 billion, with 89% of organizations represented in a new study by the Ponemon Institute having experienced a data breach in the past two years and 45% reporting more than five breaches in the same time period.
The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, sponsored by ID Experts, found that 69% of health care organizations believe they are at greater risk than other industries for a data breach. Fifty-one percent blamed a lack of vigilance in ensuring their partners and other third parties protect patient information as a top reason for their vulnerability, and 44% say it’s due to a lack of skilled IT security practitioners.
“In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving. More health care organizations are experiencing data breaches now than six years ago,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem.”
With recent health care data breaches making headlines, the industry is on high alert. Sixty-seven percent of health care organizations say well-publicized breaches have affected their security practices in the following ways:
- 61% became more vigilant in ensuring partners and other third parties have necessary precautions in place to safeguard patient information.
- 58% increased their investment in technologies to mitigate a data breach.
- 52% increased employee training.
Another study released around the same time from the Brookings Institution, Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches, found similar results. Over the last six years, more than 155 million Americans have had medical data potentially exposed through nearly 1,500 breaches, with a per-record cost of $363.
Niam Yaraghi, author of the report and a Brookings Institution Fellow, said in a podcast, “These hacking incidents unfortunately will continue because there is no immediate solution to decrease them at the moment; however, they will also be a wakeup call for hospitals to take information security much more seriously than before and implement long-term solutions.”
The Brookings Institution report takes industry knowledge on data breaches a step further, and includes policy recommendations to better protect patient privacy and prevent breaches:
- Prioritize patient privacy and use available resources to protect medical data through spending more on security technologies or diligently implementing privacy policies.
- Greater communication between health care organizations through information sharing about security technologies, privacy policies, and breach incidents.
- Develop a cyber-insurance market where companies can conduct audits and proactively manage privacy protection efforts.
- Release Office for Civil Rights data breach investigation details.
- Establish a universal HIPAA certification system and conduct preventive audits.