Data breaches may cost healthcare organizations $5.6 bn annually: Ponemon (US)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”150″ /]The PHI threat is within for HIT staff and CIOs, with no end in sight: Ponemon Institute and IS Decisions

The Ponemon Institute’s fourth annual benchmark report on patient privacy and data security was released last week and with a few exceptions, the news is worse than last year. Eight highlights in the study of 91 responding organizations (Ponemon admits results are skewed to larger sized respondents) for 2013 are:

1. The average cost of data breaches in the study group was approximately $2 million over a two-year period. Extrapolated to the over 5,700 hospitals in the US, the annual cost is $5.6 billion, down from $7 billion in 2012.
2. The number of data breaches decreased slightly. 38 percent report more than five in the 2013 report compared to 45 percent in 2012. The number of organizations reporting at least one data breach in the past two years was 90 percent versus 94 percent in 2012.
3. Healthcare organizations improve ability to control data breach costs. The economic impact of data breaches for the healthcare organizations represented in this study over the past two years is $2.0 million–but it is 17 percent (nearly $400,000) less than 2012.
4. ACA increases risk to patient privacy and information security. No surprises here for readers with insecure exchange of information between healthcare providers and government (75 percent ), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent) leading the way.
5. Accountable Care Organization (ACO) participation increases data breach risks due to the exchange of patient information (66 percent).
6. Criminal attacks on healthcare organizations increased by 100 percent since 2010; employee negligence is considered the biggest security risk (75 percent).
7. BYOD usage continues to rise despite security concerns. 88 percent permit it, despite the concerns about employee negligence and the use of insecure mobile devices.
8. Healthcare organizations don’t trust their third parties or business associates with sensitive patient information. Only 30 percent feel confident or very confident that their downstream partners carefully safeguard this data.

There is much more in the full Ponemon Institute study, available for free download here (registration required) sponsored by ID Experts. Rick Kam, ID Experts’ president, also authored an article in HITECH Answers.

A second study from healthcare software vendor IS Solutions, surveying 250 US and 250 UK HIT decision makers, also outlined the threat from within (Health IT Outcomes).

• IT professionals in the healthcare sector are more concerned about insider threats than their colleagues in other industries, with 30 percent considering it to be in their top three security priorities compared to 21 percent on average–yet the health sector spends less on security overall (12 percent versus other industries at 15 percent).
• Internal security is a greater problem than external security for 16 percent of HIT professionals, in comparison to just 7 percent of all other IT professionals. Password sharing may be the culprit–30 percent is the professionals’ estimate.

Previously in TTA: Why healthcare doesn’t encrypt: correct, incorrect assumptions, How insecure can health data get? Very., US health data breaches hit record; Healthcare.gov backdoored? Additional articles, search ‘data breaches’