Skip to main content

Data Security Inadequate at 71% of Hospitals

 |  By dnicastro@hcpro.com  
   November 09, 2010

The HITECH Act has been under recent scrutiny for not improving the safety of patient records, according to research from The Ponemon Institute.

For 65 hospitals mostly in the 100- to 600-bed range, 71% of respondents say they have inadequate resources to prevent and quickly detect patient data loss. The same percentage of respondents say federal regulations like HITECH have not improved the safety of patient records, research from the "Benchmark Study on Patient Privacy and Data Security" conveys.

Rick Kam, founder of the study sponsor, ID Experts, says he often hears that hospital leaders do not provide the necessary resources and do not make protecting patients' privacy a priority.  "We need to do a better job," Kam adds. "This is a call to action."

Study findings include the following:

  • The majority of responding organizations have less than two staff dedicated to data protection management (67%)
  • Hospitals say that protecting patient data is not a top priority (70%)
  • Most at risk is patient billing information and medical records, which is not being protected
  • Patients are typically first to detect a significant number of breaches at healthcare organizations (41%)

"This (last) finding suggests that patient data is being unknowingly exposed until the patients themselves detect the breach," the study states. "Healthcare organizations' inability to prevent or detect patient data loss is putting patients at greater risk of medical identity theft, financial identity theft and having their personal health facts disclosed."

The study also finds the cost for data breaches for hospitals as a whole is $6 billion. According to respondents in the study, the economic impact of data breach incidents over a two-year period is approximately $2 million per organization.

Through his research, Dr. Larry Ponemon, data security researcher, has learned that most hospitals are more concerned with "red and black" streams of revenue.

"A lot of organizations are frustrated at the limited number of resources" protecting patient privacy, Ponemon says. "It is an issue."

Other highlights from the study include the following:

  • 60% of organizations had more than two data breaches in the past two years. The average number for each participating organization was 2.4 data breach incidents
  • The average number of lost or stolen records per breach was 1,769. A significant percentage of organizations either did not notify any patients (38% or notified everyone (34%) that their information was lost or stolen
  • The top three causes of a data breach are: unintentional employee action, lost or stolen computing devices and third-party snafu
  • 41% discovered the data breach as a result of a patient complaint
  • More than half (58%) of organizations have little or no confidence that their organization has the ability to detect all patient data loss or theft
  • 63% of organizations say it took them between one to six months to resolve the incident
  • 56% of respondents have either fully implemented or are in the process of implementing an EHR system. The majority (74%) of those who have an EHR system say it has made patient data more secure

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.