“The big finding is, we've not seen a huge change,” said Larry Ponemon, chairman and founder of research firm the Ponemon Institute, which released its sixth annual healthcare data privacy and security survey Thursday.
“We've seen small progress, small baby steps in the right direction ... for whatever reason, it's been very slow moving. It's still not a No. 1 or even a No. 10 priority,” he said.
Another surprising finding is that healthcare organizations and the business associates they hire to help install systems and devices that gather and archive patient data are both pointing fingers when asked who's at fault for breaches.
According to the report, 89% of leaders surveyed said their healthcare organizations had experienced a data breach in the prior two years. and nearly half of them (45%) had seen more than five breaches.
Most were small, Ponemon said, involving fewer than 500 records, so they never appeared on the federal government's “wall of shame” public website, but “even a small data breach can be very costly,” in terms of forensics and other related expenses.
Healthcare security leaders who were surveyed are increasingly feeling confident about organizational defenses, according to those surveyed. But both healthcare organizations and their business associates depend more on policies and procedures than technology to keep their data safe, with 57% of security leaders reporting they have adequate technology to prevent or quickly detect a breach, up from 46% a year ago.
Leaders of business associates were not as confident, with just 53% indicating they have adequate defensive policies and procedures in place, up from 50% last year.
Security executives frequently (51%) blamed themselves, but for not being sufficient vigilant in “ensuring their partners and other third parties protect their information.”
Leaders of business associates, meanwhile, most commonly (54%) indicated healthcare organization employees were “negligent” in handling patient information. Half of BA leaders also opined that healthcare organizations (50%) were not adequately investing in technologies to mitigate a data breach.
More than half of the leaders (57%) interviewed from the 91 healthcare organizations and 69% from the 84 business associate firms participating in the survey had titles of chief security officer, chief information security officer, chief information officer, chief privacy officer and chief compliance officer.
A third of healthcare organization leaders surveyed and 29% from business associates say their organizations have purchased some form of data breach insurance.
Security leaders from both groups say they need more money to get the job done, with 59% from healthcare organizations and 60% from the business associates reporting they “don't think their organization's security budget is sufficient to curtail or minimize data breaches,” according to a summary of the report.
Legal defense, forensic and credit monitoring costs are typically covered by insurance, according to 70% or more of providers and BAs responding, but damage to a company's brand and communication costs related to a breach are “rarely covered,” according to the survey.
Rick Kam, president of survey sponsor ID Experts, a provider of data breach response and risk assessment services and consumer identity protection services said healthcare leaders need to assume greater responsibility.
“The reason why the number of breaches persist, there is this culture in healthcare where they're focusing on the patient, which is good, but there is a lack of accountability in the healthcare system for protecting this data,” Kam said.
In 2012, the Office for Civil Rights at HHS conducted a series of 115 random audits of healthcare organizations, finding “a good number” of them had problems meeting the risk assessment requirement under the law, according to the agency's lead, Leon Rodriquez.
A second round of OCR audits that will include both HIPAA-covered entities and their business associates is pending.
In the wake of the Enron and WorldCom financial scandals and failures, Congress in 2002 passed the Sarbanes-Oxley Act, forcing company leaders to attest that their company's financial statements were accurate.
“It was a wake-up call in financial services when they realized a civil suit could be thrown against them or they could be thrown in jail,” Kam said.