We all trust doctors and hospitals to take care of us when we are sick or in need of medical care. But in regard to protecting our personal information, healthcare providers are, on average, not making the grade.
A recent study from the Ponemon Institute and ID Experts found that 94 percent of the organizations polled said they had experienced at least one data breach, and 45 percent indicated they they had fallen victim to five or more such incidents. In addition, a medical identity theft occurred at 52 percent of the healthcare providers surveyed.
The study found that the average breach costs a medical organization roughly $1.2 million, and the costs borne by the entire U.S. healthcare industry as a result of data breaches totaled $7 billion. Over the past two years, the annual costs related to just medical identity theft rose from $28.6 billion in 2010 to $41.3 billion this year.
More than 1.8 million Americans have had their personal information compromised as a result of medical identity theft, and more than 21.2 million U.S. residents have been affected by a data breach at a healthcare institution, according to the report.
“The trend continues: data breaches are increasing, patient information is at risk, yet healthcare organizations continue to follow the same processes,” Rick Kam, president and co-founder of ID Experts, said in a statement. “Clearly, in order for the trend to shift, organizations need to commit to this problem and make significant changes. Otherwise, as the data indicates, they will be functioning in continual operational disruption.”
Why healthcare providers suck at layered security
The report found that not only are many medical organizations clueless about how to deal with potential threats and related issues, but too often they are not able to implement the proper measures. For example, 67 percent of organizations lack the requisite control to detect or prevent identity theft, and only 16 percent indicated that they conduct risk auditing.
“Healthcare organizations face many challenges in their efforts to reduce data breaches,” Dr. Larry Ponemon, chairman and founder of Ponemon Institute, said in a statement. “This is due in part to the recent explosion of employee-owned mobile devices in the workplace and the use of cloud computing services. In fact, many organizations admit they are not confident they can make certain these devices are secure and that patient data in the cloud is properly protected. Overall, most organizations surveyed say they have insufficient resources to prevent and detect data breaches.”
Even though 46 percent of data breaches occurred as a result of a lost or stolen device, which was the most common source of a data leak, many healthcare organizations said that they are not doing enough to prevent issues from occurring. For example, while 91 percent of organizations surveyed used cloud-based solutions, 47 percent of them said they are not confident about their cloud computing security. Similarly, 81 percent of healthcare providers have a bring-your-own-device policy, even though 46 percent of medical organizations have no idea if these devices are secure.
Budgetary constraints may be partly responsible for the gaps in application control and other necessary measures. Among those surveyed, 73 percent said they lacked the resources to prevent breaches and 66 percent indicated that their security budget was too small to deal with all of the potential problems.
What can healthcare organizations do to more efficiently mitigate the risk posed by data breaches and identity theft? Leave your comments below to let us know what you think about this study’s findings!