Study Blames Digital Health Data Breaches on Lack of Funding, Support

March 5, 2012

By Chris Strohm

WASHINGTON — Insufficient funding and lack of executive support are mainly responsible for security breaches involving patients’ electronic health records, a study found.

Executives at health-care companies and providers must improve cost assessments to include payments from class-action lawsuits, said the report released Monday by the nonprofit American National Standards Institute. Its members include Kaiser Permanente and data-security sellers such as Microsoft as well as the Defense Department and the FDA.

”No organization can afford to ignore the potential consequences of a data breach,” according to the report by the institute, which helps businesses and agencies set standards. ”To successfully mitigate data breach threats and risks, leaders of organizations in the health-care sector must understand the evolving health care-ecosystem.”

To view the original article please click here.

Concerns that patients’ personal data may be vulnerable to theft may grow as President Obama’s administration increases incentive payments to doctors and hospitals to spur adoption of digital health records. The payments established by the 2009 economic stimulus legislation may reach $27.4 billion.

The frequency of data breaches at health organizations jumped 32 percent in 2011 from a year earlier, costing the industry an estimated $6.5 billion, according to a Dec. 1 study by the Ponemon Institute, a Traverse City, Mich.-based information-security research group.

Executives at health-care providers, pharmaceutical companies and medical-device makers surveyed in a Jan. 31 Bloomberg Government study said they would need to increase spending on cybersecurity to about $155 million a year on average from $23 million to stop 95 percent of hacking attacks. The analysis was based on interviews with 56 executives from 24 health-care organizations.

The American National Standards Institute study released today found that almost 60 percent of about 100 health-care executives surveyed cited lack of funding as the main reason for not securing digital records. Forty percent cited insufficient time, while 32 percent pointed to a lack of senior executive support.

The report offers chief financial officers and chief privacy officers a five-step model to make a business case to top executives for investing to protect health records. The model is intended to help organizations assess security risks, identify gaps in protecting data and calculate potential costs of a breach.

”What we want to demonstrate is the work that the private sector can do on a key national priority,” said James McCabe, a senior director at the institute.

The institute conducted the study with the Internet Security Alliance, a Washington-based trade association, and the Santa Fe Group, a consulting firm in Santa Fe, N.M.

The Department of Health and Human Services began collecting data on breaches in August 2009. More than 385 incidents were reported affecting at least 10 million patients nationwide in the first two years, the most recent information available.

Tags: ,