That’s one of many sobering reminders in the survey that much of protected health information remains unprotected three years after the HIPAA breach notification rule became effective. Ninety-four percent of provider organization respondents reported at least one data breach during the past two years, and 45 percent said they had more than five. The average number for respondents was four breaches over two years.
Ponemon Institute, a privacy and security research firm, conducted the survey with sponsorship from data breach and remediation firm ID Experts. Eighty organizations, ranging from delivery systems to standalone hospitals and clinics, participated in the survey with 324 interviews conducted. Other survey results include:
* Fifty-two percent of respondents had one or more incidents of medical identity theft, and only one-third have controls to detect theft;
* Eighty-one percent permit employees and medical staff to use their own mobile devices and, on average, 51 percent of the work force brings their devices to work;
* Ninety-one percent of respondents use cloud services, but nearly half are not confident that information in the cloud is secure; and
* Nearly all breaches are discovered by an audit or assessment, or by employees.
Ponemon estimates the average cost of responding organizations dealing with breaches is $2.4 million over two years, compared with $2.1 million in the 2010 survey. The report, “Third Annual Benchmark Study on Patient Privacy & Data Security,” is available here.