Hospitals need to do a better job of encrypting patient data to address the spiraling scale of security breaches, concludes a new report from healthcare IT security company Redspin.

The report also notes that healthcare organizations need to bridge the gap between the demand from doctors and nurses using their own devices in the workplace (BYOD) and enacting the necessary security measures to ensure patient information contained on those devices is protected if they are lost or stolen, Med City News states.

Since the HITECH Act was enacted in 2009, 804 breaches affecting 29.3 million patient health records have occurred, according to the Redspin report. More than 80 percent of these breaches were caused by theft of laptops and digital media containing personal health information (PHI). Another 22 percent of breaches were caused by unauthorized access. One in five was caused by a business associate.

Among the report’s recommendations:

1. Encrypt “data at rest. According to the report, had encryption been more widely deployed, the problem would have not been so dire.
2. Do regular HIPAA risk analysis.
3. Implement monthly or quarterly vulnerability assessments to reduce the threat of hackers.
4. Conduct security awareness with staff and build a culture of security among them.
5. Be in regular contact with Business Associates on security issues. According to the report, the percent of large-scale data breaches involving Business Associates fell from 56 percent in 2009-2012 to 10 percent last year.