Hospitals & Medical Centers / Security Newswire

Data Breaches Cost Healthcare Industry $7 Billion Annually

The Third Annual Benchmark Study on Patient Privacy and Data Security by the Ponemon Institute reports that healthcare organizations face an uphill battle to stop data breaches, according to an article from the International Business Times.

According to the Ponemon report, 94 percent of healthcare organizations surveyed suffered at least one data breach; 45 percent experienced more than five in the past two years.

Data breaches cost the U.S. healthcare industry an average of $7 billion annually.

The report also notes that 69 percent of organizations surveyed do not secure medical devices – including mammogram imaging and insulin pumps – which hold patients’ protected health information (PHI).

Infographic: You can view or download a free infographic of the study’s findings here.

Additional findings include:

  • 54 percent of organizations have little to no confidence that they can detect all patient data loss or theft.
  • The average impact of a data breach is $1.2 million per organization.
  • Causes of data breach cited were loss of medical equipment (46 percent), employee errors (42 percent), third-party snafu (42 percent), criminal attack (33 percent) and technology glitches (31 percent).
  • More than half of healthcare organizations (52 percent) had cases of medical identity theft, and 39 percent of those say it resulted in inaccuracies in the patient’s medical record and 26 percent say it affected the patient’s medical treatment.
  • 81 percent of organizations permit employees to use their own mobile devices (BYOD), but 54 percent of organizations are not confident that these personally-owned devices are secure.
  • 91 percent of hospitals surveyed are using cloud-based services, including to store patient records, patient billing information and financial information. Yet, 47 percent of organizations lack confidence in the cloud’s data security.
  • Over the past year, 36 percent of healthcare organizations have made improvement in privacy and security programs, in response to the threat of audits conducted by the U.S. department of Health and Human Services Office for Civil Rights, the press release notes.
  • 48 percent of organizations are conducting security risk assessments, but only 16 percent are conducting privacy risk assessments.
  • 73 percent have insufficient resources to prevent and detect data breaches.
  • 67 percent don’t have controls to prevent or quickly detect medical identity theft.

Rick Kam, president and co-founder of ID Experts – the commissioner of the survey – has five recommendations for healthcare organizations:

  1. Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes
  2. Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security
  3. Conduct combined privacy and security compliance assessments annually
  4. Update policies and procedures to include mobile devices and cloud
  5. Ensure the Incident Response Plan (IRP) covers business associates, partners, cyber insurance

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive


CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+