In the last two years, 94 percent of healthcare organizations that took part in the Ponemon Institute’s “Third Annual Benchmark Study on Patient Privacy & Data Security” [PDF] reported that they had suffered at least one data breach; 45 percent reported that they had been the victim of at more than five data breaches.
In 2010, 14 percent of those surveyed reported they had not lost patient data in 2009 and 2010. As for organizations that were breached more than five times, in 2009 and 2010 it was 29 percent of study participants that claimed to suffer that many.
More stark yet, 54 percent of respondents had little or no confidence that their organization was capable of detecting, let alone stopping, all patient data loss or theft.
The percentage of organizations that reported suffering breaches that caused more than $500,000 in damages increased from 48 percent to 57 percent. On average, respondents in the Ponemon study claimed to lose $2.4 million in breach-related losses over the two year period, an increase of nearly $400,000 from the previous iteration of the study. Ponemon estimates that the entire industry could be hemorrhaging as much as $7 billion a year in data breach-related losses.
Employee carelessness and other human errors caused the majority of breaches, 46 percent of respondents claimed that breaches occurred after employees lost or had devices with patient data stolen from them. After lost or stolen devices, “employee mistakes or unintentional actions” and “third-party snafus” were the next most common causes of data-breaches according to 42 percent of respondents each (respondents were permitted to select multiple responses in the study).
The report also claims that criminal attacks on the healthcare industry are increasing. In the 2010 study only 20 percent of compromises were attributed to criminal activity. By 2012, the figure had climbed to 33 percent.
The real victims of hospital or other industry breaches are patients. Healthcare organizations are, on average, losing 2,769 records per breach. The lost records usually contain medical files or billing and insurance records. 69 percent of respondents told Ponemon that patients were at increased risk of identity theft following a breach.
The report also highlights the risk posed dramatic increases in employees bringing personal, internet-connected devices into the workplaces, which is by no-means a problem unique to the health-care industry, and the adoption of unsecured medical devices, like wireless heart pumps, mammogram imaging, and insulin pumps, which is almost completely unique to the industry.
More than 90 percent of hospitals in the survey are using cloud services to store sensitive patient-data while nearly half or respondents doubt that cloud services can protect that data.