The frequency of data breaches in healthcare organizations has increased by 32 percent, with hospitals and healthcare providers averaging four data breaches, says a report on the subject.

The second annual benchmark study by Ponemon Institute found that employee negligence is the primary culprit. According to 41 percent of healthcare organizations surveyed, data breaches involving protected health information (PHI) are caused by sloppy employee mistakes. Half of respondents do nothing to protect mobile devices that are in use in 80 percent of healthcare organizations, the report says. Based on the experience of the healthcare organizations surveyed, data breaches could be costing the U.S. healthcare industry an estimated $4.2 billion to $8.1 billion annually—an average of $6.5 billion—enough to hire more than 81,000 registered nurses nationwide or fund 216 million flu vaccinations.

According to the report,

  1. Data breaches represent a 32 percent increase, with compromised patient records in benchmarked organizations increasing an average of 46 percent. According to the research, 55 percent of healthcare organizations say they have little or no confidence they are able to detect all privacy incidents. About 61 percent of organizations are not confident they know where their patient data is physically located. Third-party mistakes, including business associates (BAs), account for 46 percent of data breaches reported in the study. According to 49 percent of respondents, lost or stolen computing or data devices are the reason for healthcare data breach incidents.
  2. More than 80 percent of healthcare organizations use mobile devices that collect, store and/or transmit some form of PHI. Yet, half of all respondents do nothing to protect these devices, the report says.
  3. 73 percent of respondents reported lacking sufficient resources to prevent or detect unauthorized patient data access, loss or theft. 53 percent of organizations cite lack of budget as their biggest weakness in preventing data breaches. The increased use of outside resources and business associates—associated with the downsizing of hospital staff—is having a direct impact on privacy and security. 69 percent of organizations say that they have little or no confidence in business associates ability to secure patient data.

The report recommends that healthcare organizations can minimize their data breach risks with three basic steps:

1. Take an inventory of PHI/PII.

An inventory provides a complete accounting of every element of personally identifiable information (PII) and PHI that an organization holds, in either paper or electronic format. It helps determine how an organization collects, uses, stores and disposes of its PHI. A PHI inventory reveals the risks for a data breach, so organizations can strategically protect PHI data and best plan for a response based on real information.

2. Develop an Incident Response Plan (IRP).

An IRP is an effective, cost-efficient means for helping organizations meet HIPAA and HITECH requirements and develop guidelines related to data breach incidents. The IRP designates roles and provides guidelines for the response team's responsibilities and actions.

3. Review contracts and agreements with business associates.

Business associates are a growing cause of data breaches. These contracts between healthcare organizations and business associates authorize and define business associates' use of the PHI they share with healthcare providers. Keeping these contracts up-to-date demonstrates compliance to regulators and helps maintain consistency in how PHI is managed in a healthcare ecosystem.