The Ponemon Institute released its Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data on May 7, 2015, highlighting serious challenges in protecting the privacy and security of health information.
The study sets forth findings based on the survey of 90 HIPAA covered entities, such as healthcare providers and health plans, and 88 business associates, including vendors and service providers who access protected health information (PHI) in performing functions or activities for covered entities. The study estimates an annual data breach cost of $6 billion, with an average two-year cost of $2.1 million for covered entities and $1 million for business associates responding to the survey.
Other findings of the study include:
- Criminal attacks increased by 125 percent over five years, and have moved ahead of employee errors as the number one cause of data breaches for covered entities
- 91 percent of covered entities reported experiencing at least one data breach and 40 percent had more than five data breaches within the past two years
- 59 percent of business associates reported experiencing at least one data breach and 15 percent had more than five data breaches within the past two years
- Only 33 percent of covered entities and 41 percent of business associates are confident that they have sufficient resources to prevent or quickly detect a data breach
- Only 50 percent of covered entities and 42 percent of business associates perform a risk assessment after each security incident involving electronic information to determine whether reporting is required under the Breach Notification Rule
The Ponemon Institute found in a 2014 study that healthcare had the highest per capita cost of 16 benchmarked industry sectors in the U.S., at $316 per compromised record.
The complete 2015 Study is available here.
This study provides another reminder of the need for all organizations handling health information to implement appropriate safeguards to protect the privacy and security of all personal information (including PHI), and robust policies and procedures to detect and
respond to data breaches.