by Christina Thielst

First posted on Christina’s Considerations on 12/6/2012

Christina Thielst, Host of Christina’s Considerations

The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute and ID Experts, has been released and reports that healthcare organizations face a huge challenge in stopping data breaches.

  • 94% of healthcare organizations surveyed suffered at least one data breach
  • 45% of organizations experienced more than five data breaches during the past two years
  • Astonishingly,  69% off organizations still have not secure medical devices—such as mammogram imaging and insulin pumps (IT and Biomed have to talk!)
  • The cost to the industry could average $7 billion annually. 

Most organizations surveyed say they have insufficient resources to prevent and detect data breaches, but consider the alternatives.  Patients are at increased risk for medical identity theft and their PHI and privacy could be violated as mobile and cloud technology becomes pervasive.

Change is needed and recommendations include:

  1. Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes
  2. Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security
  3. Conduct combined privacy and security compliance assessments annually
  4. Update policies and procedures to include mobile devices and cloud
  5. Ensure the Incident Response Plan (IRP) covers business associates, partners, cyber insurance

If you like visuals, check out the infographic.  If you are into details, read the entire report and consider:

  • Information breached is largely medical files and billing and insurance records. According to the research, 54% of organizations have little or no confidence that they can detect all patient data loss or theft. Based on the experience of the 80 healthcare organizations participating in this research, the resulting cost to the U.S. healthcare industry could be $6.87 billion, up from 2011. The average impact of a data breach is $1.2 million per organization.
  • The causes of data breach cited were loss of equipment (46%), employee errors (42%), third-party snafu (42%), criminal attack (33 %), and technology glitches (31%). Cases of medical identity theft occurred at 52% of the organizations, and it lead to inaccuracies in the patient’s medical record (39%) and/or affected the patient’s medical treatment (26%).
  • Mobile devices in the workplace pose threats to patients’ PHI.  Employees are permitted to use their own mobile devices—commonly called Bring Your Own Device (BYOD)—often to access organization data (81%), yet organizations are not confident that these personally owned mobile devices are secure (54%). Hospitals surveyed are using cloud-based services (91%) to store patient records, patient billing information, and financial information, but 47% percent lack confidence in the data security of the cloud.
  • This past year, 36% of healthcare organizations made improvements in their privacy and security programs, in response to the threat of audits conducted by the U.S. Department of Health and Human Services Office for Civil Rights. While 48% of organizations are now conducing security risk assessments, only 16% are conducting privacy risk assessments. Organizations still have insufficient resources to prevent and detect data breaches (73%) and/or don’t have controls to prevent and/or quickly detect medical identity theft (67%).

Now that I have an headache, I think I’ll stop here.

Patricia Salber MD, MBA (@docweighsin)
Patricia Salber, MD, MBA is the Founder and Editor-in-Chief of The Doctor Weighs In. She is also the CEO of Health Tech Hatch, the sister site of TDWI that helps innovators tell their stories to the world. She is also a physician executive who has worked in all aspects of healthcare including practicing emergency physician, health plan executive, consultant to employers, CMS, and other organizations. She is a Board Certified Internist and Emergency Physician who loves to write about just about anything that has to do with healthcare.


  1. This is an excellent alert about a major problem increasing in frequency as we become more electronic-record addicted. Security and privacy can be improved, and this article will stimulate me and others to take action to protect our patients and our practices.


All comments are moderated. Please allow at least 1-2 days for it to display.