Almost all—96%—of the 300 individuals from 72 healthcare organizations participating in a data security survey said that their organization had experienced a patient-information breach in the past two years, according to a report from the Ponemon Institute, a privacy and security research firm based in Traverse City, Mich.
Data breach prevention not a high priority: survey
The average number of records lost or stolen in those breaches this year was 2,575.
An unintentional employee action was the most common root cause of the data breaches; this was cited by 45% of organizations that had experienced a breach. The second-most-common data breach cause was a lost or stolen computing device, at 41%.
And although 46% of survey respondents said they have policies governing the proper use of mobile devices, 49% said they "don't do anything to protect mobile devices." Less than one-fourth (23%) said their organization has "encryption solutions installed." Additionally, more than half of respondents indicated they have little (30%) or no (25%) confidence in their organization's ability to detect privacy incidents and the loss of patient data. More than one-third (35%) of respondents said that data breaches in their organizations were discovered via patient complaints. They named inadequate budgets for privacy and security (51%) and insufficient assessments for risk (43%) as the top weaknesses in their organization's security program.
A plurality (25%) of respondents said breaches over the past two years cost their organizations between $201,000 and $500,000, but 48% of respondents selected higher ranges.
Only 29% of those surveyed agreed that preventing the loss or theft of patient data or unauthorized access to it is "a high priority." But 55% of respondents indicated "the threat of" upcoming HIPAA audits and investigations by HHS have prompted changes in patient data privacy and security programs.
The survey targeted data protection professionals, with 43% of respondents holding the title of chief security officer, chief information security officer, chief information officer, chief privacy officer or chief compliance officer. Additionally, the sample was skewed toward larger healthcare organizations, "excluding the plethora of very small provider organizations, including local clinics and medical practitioners," the report said.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.