By Cole Petrochko, Associate Staff Writer, MedPage Today
Nearly all healthcare organizations responding to a survey — 96% — reported that patient or related information has been lost, stolen, or otherwise compromised within the last two years.
The number of data breaches involving protected health information rose by 32% from 2010, according to interview data published online by the independent privacy and data protection group the Ponemon Institute.
Three out of 10 respondents (29%) said a data breach resulted in medical identity theft — up 26%.
And two out of five respondents (41%) blamed data breaches on employee negligence — not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices — and 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches.
Information was collected through interviews with senior-level staff at 72 healthcare organizations regarding data loss and theft experiences at their facilities. Sites included parent holding companies of healthcare organizations, parts of a healthcare network, and individual hospitals or clinics. Staff interviewed included security, administration, privacy, compliance, finance, and clinical personnel. An average of four staff members were interviewed per site.
Breaches were most often detected by an employee (51%), but were also detected through audits and assessments (43%) and patient complaints (35%).
More than half of respondents said they had little or no confidence that all breaches were detected (55%), and 57% had little or no confidence that all patient data loss or thefts had been detected.
A growing number of healthcare facilities — more than 80% — use mobile devices to transmit, store, and/or collect protected patient health information, but half of respondents said those devices were unsecured, the institute wrote in a statement accompanying the report.
They found that 22% of organizations say their budget is sufficient for minimizing data breach instances. And although 83% of hospitals have a written policy and procedure for contacting authorities in the event of a data breach, 57% didn’t think the policies were effective at curbing breaches.
The researchers outlined steps for patients and organizations to secure data and prevent future breaches, loss, or adverse effects of a loss. For patients, this included:
- Reading Explanation of Benefits and Medicare Summary Notices for missing goods or services
- Keeping online account passwords secure by using different passwords for each account, and making passwords not easily guessable
- Avoiding phishing emails, texts, and phone calls that may compromise personal data
- Contacting government agencies to keep a flag on personal files
- Monitoring financial accounts for suspicious activity
For healthcare organizations, they suggested:
- Creating inventories of private health data, including information about how that data is collected, used, stored, and disposed of
- Establishing an incident response plan that designates roles and creates guidelines in the event of a breach
- Reviewing contracts and agreements made with third-party information handlers
The study was limited by a number of factors. Data were collected through self report, and only a small segment — 14% — of healthcare organizations contacted responded to an interview request. Results of interviews were skewed to larger-sized groups. Interviews were mostly limited to staff tasked with protection, security, privacy, and compliance. The researchers also noted that some normatively important variables were omitted from the analyses.