Patient Data Breaches Surge as Hospitals Scrimp on Security

by Chris Strohm, Business Week

Data breaches at U.S. health-care providers are increasing as hospitals adopt electronic medical records and mobile technology without spending enough on security to ensure patient privacy, a research group said.

The frequency of data breaches at health organizations jumped 32 percent in 2011 from a year earlier, costing the industry an estimated $6.5 billion, according to a study released today by the Ponemon Institute LLC, a Traverse City, Michigan-based information-security research group.

Forty-nine percent of health organizations said that lost or stolen devices were to blame for breaches, according to the institute, which surveyed 72 hospitals and health providers. The study didn’t name the organizations surveyed.

‘It’s definitely not getting better,’ Larry Ponemon, president and founder of the institute, said in an interview. ‘What we see on the people side, on the technology side and on the governance practice side for health-care organizations is that security doesn’t seem to be their priority.’

Concerns that patients’ personal information may be vulnerable to theft are likely to increase as President Barack Obama’s administration increases incentive payments to doctors and hospitals to spur adoption of digital health records. The payments, authorized under the 2009 economic stimulus, may reach $27.4 billion.

‘Because it’s such a big piece of revenue for health-care organizations, they are rushing to do health records without building in security,’ Rick Kam, president and co-founder of ID Experts, a Portland, Oregon-based security firm and sponsor of the study, said in an interview. ‘They are under-resourced.’

Notification Laws

Fifty-three percent of the organizations surveyed said that inadequate funding was the biggest barrier to preventing data breaches, according to the study.

U.S. data-breach notification laws for health organizations are making providers more aware of their security vulnerabilities, Ponemon said. Data breaches affecting more than 500 people must be reported to the Health and Human Services Department, which posts a list of incidents on its website.

Health providers, insurers and their business partners reported 373 breaches affecting almost 18 million individuals between September 2009 and October of this year, according to the list, which is tended by the Health and Human Services Department’s Office of Civil Rights.

Threat of Audits

Under the Health Insurance Portability and Accountability Act, organizations are expected to document their privacy, security and breach notification policies, as well as conduct a security risk assessment.

The Health and Human Services Department has begun auditing health-care providers and employer-sponsored group health plans for compliance with federal privacy laws. Agency personnel conduct site visits and interview key personnel to determine an organization’s vulnerabilities and compliance procedures.

Fifty-five percent of respondents in the Ponemon survey said the threat of audits has affected changes in patient data and security programs, the study said.

Many data breaches are caused by simple carelessness, said Harry Rhodes, director of practice leadership for the American Health Information Management Association, a Chicago-based trade group for health information-management specialists.

‘It’s been kind of like a silent crisis,’ Rhodes said. ‘The vast majority of breaches are really pedestrian. You lost your laptop, you lost your smartphone or your tablet.’

Mobile Technology

One of the biggest concerns is that doctors and other health-care professionals want to use their own smartphones or tablet computers, often without proper security, such as encryption or passwords, Rhodes said.

‘I think most of what needs to be done is there needs to be education and awareness,’ he added. ‘There may be training at a facility, but training is not the same thing as education and awareness.’

That increasing use of mobile technology is putting patient data at risk, according to the Ponemon study. Thirty-eight percent of providers surveyed said they were very confident or somewhat confident of the security of patient data accessed by mobile devices.

Eighty-one percent of health organizations surveyed said they use mobile devices to collect, store and transmit patient records, according to the study. ‘However, 49 percent of participants admit their organizations do nothing to protect these devices,’ according to the study.

Health-care organizations should view security as a good business practice that will improve their reputations and make them more competitive, Ponemon and Kam said.

‘The increase in enforcement, the fear of enforcement, I think is making organizations more accountable and maybe more transparent about what they do,’ Ponemon said. ‘In that respect we’re going to see an improvement.’