Ponemon has released a new survey on data breaches in the healthcare sector. The Second Annual Benchmark Study on Patient Privacy and Data Security, sponsored by ID Experts, is available on their web site, but I want to pull out a few points from the results that I think are worth noting:
The number of reported breaches was up 32% in 2011 compared to 2010. Significantly, 46% of the entities reported experiencing 5 or more data breaches in the past two years – up from 29% of the sample in the first benchmark survey. Are breaches actually increasing, though, or is there just better detection? For this time period, over half of breaches were detected by employees, an improvement over last year.
The average number of lost or stolen records per breach was 2,575. This, too, is an increase over last year, when the average number of records compromised per breach was 1,769. Given the small sample size (72 organizations participated in the survey) and that there were no “monster” (>100,000 records) breaches reported last year but one reported this year, the increased records per breach statistic may be somewhat skewed. That said, we have certainly seen some huge patient data breaches recently – the Sutter Health breach affecting 4.2 million and the SAIC/TRICARE breach affecting 5.1 million. Although neither incident is likely to be among those included in the survey, I would expect to see a significantly higher records per breach statistic for 2011.
Widespread use of mobile devices continues to put patient data at risk. Not surprisingly, 81% of healthcare organizations report that they use mobile devices to collect, store, and/or transmit some form of protected health information (PHI). Worryingly, 49% of participants report their organizations do nothing to protect these devices. Thus, despite all of the media coverage, many organizations continue to engage in what I would best characterize as negligent security practices. HITECH and new regulations do not appear to have significantly improved security and many entities do not appear to be particularly concerned about HHS/OCR imposing any fines. Perhaps when OCR starts auditing in 2012 or starts handing out more fines, organizations will invest more in security. One of the most significant findings of the second benchmark study was that organizations feel that they do not have the budget or resources allocated to properly secure patient data and many organizations still do not make security of patient data a priority.
The top three causes for data breaches continue to be lost or stolen devices (49%, up from last year), third-party “snafu,” a term that can cover a lot of sins (46%, up from last year), and unintentional employee action (41%, down from last year). Reports of criminal attacks increased from 20% last year to 30%. If third-party “snafus” showed the biggest increase from the last survey, one might expect to see organizations tightening up their contracts with business associates to incorporate more security and privacy protections. That does not appear to be the case, however, with fewer respondents feeling confident that their organization had adequate contracts in place.
The average economic impact of a data breach was $2.2 million, up 10% from last year. Respondents continue to express concern or belief that they are risk of losing patients as a consequence of a breach, but again, there are no objective data to support their concern. It’s time to stop asking people what they believe and find out what really happens. When a hospital is the only game in town, I doubt they are going to lose patients over a breach. Indeed, I doubt that there’s much churn at all in the healthcare sector due to breaches. Show me the data.
Over 70% of respondents recognized that patients may be at increased risk of harm from a data breach (medical identity theft, financial identity theft, or other problems from private information becoming public) and 74% reported that following a data breach, the patients either suffered identity theft (financial or medical) or they weren’t sure if the patients had suffered identity theft. Why, then, do the majority (65%) not offer protection services for the affected patients following a data breach? Offering credit monitoring if no Social Security Numbers or financial data are compromised makes no sense to me, but organizations have an affirmative obligation to mitigate harm. Are they living up to that obligation?
While the survey highlights some improvements (such as more detection of breaches by employees), its overall message is that organizations continue to put patient at risk by not deploying security technologies, by not ensuring business associates adequately protect data, and by recklessly allowing data to leave the premises on mobile devices that are lost or stolen. And when patients are harmed by breaches or face increased risk of harm, entities are likely to offer no meaningful help.
All in all, a fairly depressing report.