Despite all the attention placed on the importance of health care records and patient confidentiality, U.S. hospitals say data breaches are a fairly common and expensive experience, according to a new report by the Ponemon Institute.
The study, sponsored by ID Experts, released last week finds that data breaches are exacting a heavy toll on health care providers. Sixty percent had more than two security breaches in the last year, and the average security breach costs $2 million in direct and indirect remediation. The analysis conducted by Ponemon places the cost to health care providers at more than $12 billion annually.
The report’s findings come as new stimulus funding is being released by the federal government to help health care providers convert their paper-based systems to electronic medical records. Government officials and many in the health care industry believe the migration to digital recordkeeping systems will help reduce redundancy and waste, and improve collaboration among caregivers, thus reducing costs. The U.S. health care industry accounts for $2 trillion in economic activity, or roughly 1/7th of gross domestic product.
Protecting patient records is not a new phenomenon. The Health Insurance Portability and Accountability Act of 1996 made patient privacy a cornerstone. The more recent HITECH Act put teeth in the law by adding fines for data breaches. Yet despite these laws, 70 percent of hospitals say protecting patient data is not a priority. Health care providers in the Ponemon study say they lack resources, trained personnel, and policies and procedures to safeguard patient records. Fifty-eight percent say they have little to no confidence in their ability to adequately protect records in their possession.
The lack of confidence and ability to stop breaches is reflected in the way health care providers discover security incidents. One in four of the study’s participants say they way the most commonly discover a breach has occurred is when a patient complains. The most common causes of a breach: unintentional employee action, lost or stolen devices and third-party errors.
For solution providers looking to cash in on the health care market opportunity, the Ponemon data is a good indicator and justification for electronic medical records and layered security systems. While Ponemon questions the security of EMR systems, most health care providers (three-quarters) in the study say digitizing records has made them more secure. Likewise, Ponemon found that health care organizations with strong security postures – a combination of synergistic security controls, policies and defined procedures – are far less likely to suffer a major breach.
The big takeaway from the Ponemon research is the inseparability of EMR and security. The implementation of EMR systems with strong security controls does not relieve health care providers of the need to implement complementary security. Solution providers need to develop integrated offerings that lead to efficiencies and effectiveness in the recordkeeping and data security.