The Third Annual Benchmark Study on Patient Privacy and Data Security by the Ponemon Institute reports that healthcare organizations face an uphill battle to stop data breaches, according to an article from the International Business Times.

According to the Ponemon report, 94 percent of healthcare organizations surveyed suffered at least one data breach; 45 percent experienced more than five in the past two years.

Data breaches cost the U.S. healthcare industry an average of $7 billion annually.

The report also notes that 69 percent of organizations surveyed do not secure medical devices – including mammogram imaging and insulin pumps – which hold patients’ protected health information (PHI).

Infographic: You can view or download a free infographic of the study’s findings here.

Additional findings include:

  • 54 percent of organizations have little to no confidence that they can detect all patient data loss or theft.
  • The average impact of a data breach is $1.2 million per organization.
  • Causes of data breach cited were loss of medical equipment (46 percent), employee errors (42 percent), third-party snafu (42 percent), criminal attack (33 percent) and technology glitches (31 percent).
  • More than half of healthcare organizations (52 percent) had cases of medical identity theft, and 39 percent of those say it resulted in inaccuracies in the patient’s medical record and 26 percent say it affected the patient’s medical treatment.
  • 81 percent of organizations permit employees to use their own mobile devices (BYOD), but 54 percent of organizations are not confident that these personally-owned devices are secure.
  • 91 percent of hospitals surveyed are using cloud-based services, including to store patient records, patient billing information and financial information. Yet, 47 percent of organizations lack confidence in the cloud’s data security.
  • Over the past year, 36 percent of healthcare organizations have made improvement in privacy and security programs, in response to the threat of audits conducted by the U.S. department of Health and Human Services Office for Civil Rights, the press release notes.
  • 48 percent of organizations are conducting security risk assessments, but only 16 percent are conducting privacy risk assessments.
  • 73 percent have insufficient resources to prevent and detect data breaches.
  • 67 percent don’t have controls to prevent or quickly detect medical identity theft.

Rick Kam, president and co-founder of ID Experts – the commissioner of the survey – has five recommendations for healthcare organizations:

  1. Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes
  2. Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security
  3. Conduct combined privacy and security compliance assessments annually
  4. Update policies and procedures to include mobile devices and cloud
  5. Ensure the Incident Response Plan (IRP) covers business associates, partners, cyber insurance