New Ponemon study: patient data inadequately protected, many hospitals do not notify patients of breaches
The Ponemon Institute has released a new study sponsored by ID Experts, “Benchmark Study on Patient Privacy and Data Security.” The study examined hospitals’ patient privacy practices, breaches involving patient information, and compliance policies and activities.
Sixty-five healthcare organizations participated in the study. The healthcare organizations participating in the study were described as integrated delivery systems — a network of healthcare organizations under a parent holding company (35%), part of a healthcare network (46%) and standalone hospital or clinic (17%).
Some of the takeaway points of the study include:
Data breaches are costing the heath care system billions. According to respondents in the study, the economic impact of data breach incidents over a two-year period is approximately $2 million per organization. Using 5,815 as the number of registered hospitals in the U.S. based on AHA Hospital Statistics (2010 edition), the study estimates that over a two-year period, data breaches cost hospitals $12 billion.
Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. Healthcare organizations reported they have inadequate resources (71%), few (if any) appropriately trained personnel (52%) and insufficient policies and procedures in place (69%) to prevent and quickly detect patient data loss.
Sixty percent of organizations in the study had more than two data breaches in the past two years. The average number for each participating organization was 2.4 data breach incidents. And those are only the breaches that have been detected. For survey respondents, 14% reported no breaches during a two-year period, 26% reported 1 incident, 31% reported 2-5 incidents, and 29% reported 5 or more incidents.
Protecting patient data is not a priority. Seventy percent of respondents say that protecting patient data is not a top priority. The majority of responding organizations have less than two staff dedicated to data protection management (67%). Most at risk is patient billing information and medical records.
Of concern, employees are only discovering less than half (47%) of breaches, while audits are responsible for discovering breaches in 41%. Patients are reportedly first to detect 41% of breaches. The finding that entities are not detecting breaches is a concern that I have raised numerous times, but it’s nice to see some actual statistic as to how often this might be happening.
In light of the above, it is no surprise that 23% of respondents said that they had no confidence in their organization’s ability to detect breaches.
New HITECH requirements have not improved the safety of patient records. Despite the intent of the rules, the majority (71%) of respondents do not believe these new federal regulations have significantly changed the management practices of patient records.
Not only have they not changed management practices, but they have seemingly failed to achieve compliance with notification requirements. A significant percentage (38%) of organizations did not notify any patients that their information was lost or stolen. That may be the most shocking statistic in the report to me, and more on this later.
When data breaches occurred, the average number of lost or stolen records per breach was 1,769 with 61% of incidents involving 10-100 records. The top causes of a data breach reported by study participants were:
- unintentional employee action (52% of incidents)
- lost or stolen computing devices (41%)
- third-party snafu (34%), followed closely by
- technical system glitch (31%).
Criminal attacks were involved in 20% of incidents, and malicious insiders were involved in 15% of incidents. Only 10% of incidents involved intentional non-malicious actions.
In terms of resolving breaches, only 13% of respondents reported that breaches were resolved within a week or less; 63% say it took them between 1-6 months to resolve the incident, and 25% reported that breaches took either longer than a year to resolve or were still not resolved.
In terms of negative impact of breaches: very few respondents (15%) believe the breach had no negative impact on their organizations. Most respondents reported they have suffered brand or reputation diminishment (81%) followed by time and productivity loss (80%) and loss of patient goodwill (77%). The least frequent negative results are lawsuits (23%) and poor employee morale (18%). When a breach results in churn, the extrapolated average lifetime value of one lost patient (customer) is $107,580.
Respondents were asked what they believed the consequences of a breach were to patients: 61% said it’s increased risk that personal health facts will be disclosed followed by an increased risk of financial identity theft (56%) and increased risk of medical identity theft (45%). Only 8% said patients suffer no harms. Unfortunately, that item is based on what respondents think or believe — not what they know or what the facts may show and a significant number of respondents (41%) were unsure whether or not their organization’s breaches led to any cases of identity theft (financial or medical).
In light of the above, it is somewhat surprising to read that study respondents believe the move to electronic health records (EHR) may make patient records more secure. Fifty-six percent of respondents have either fully implemented or are in the process of implementing an electronic health records (EHR) system. The majority (74%) of those who have an EHR system say it has made patient data more secure. As the investigators note, however, “While the move to EHR may solve some of the security issues that healthcare organizations now face, it also creates new concerns for organizations to manage. This massive shift to digitized records makes patient data available to many more individuals within and outside the provider organization and leaves the data more vulnerable to the growing threat of cyber crime.”
Respondents were fairly negative about their organization’s ability to protect patient information when used by outsourcers and cloud computing providers. Equally concerning, only 23% of respondents believe they can curtail physical access to data storage devices and severs.
The one positive note, if there was any, is that organizations who had more security factors in place tended to suffer significantly fewer records per breach than those with poor security.
I’m sure there will be a lot of commentary and analysis by others of the findings of this study, but for me, the takeaway messages are that security is really as bad as we feared it is and almost 40% of large hospital networks may not even be notifying patients when they do detect a breach involving patient information.
The rate of willful non-disclosure in smaller covered entities or business associates cannot really be estimated because of the nature of the study, but if we consider that most breaches are not detected and 40% of the ones that are detected may not disclosed, where does that leave us? And what, if anything, will federal regulators do to make it very costly for hospitals to decide to not disclose?