While patient names and high-level patient information was most commonly compromised, Social Security Numbers were leaked in 38% of the incidents. The study warns that hospitals store more data in one record — including the golden combination of name, social security number, and date-of-birth — than other types of institutions.
Ignorance of the true Ponemon Cost Of A Data Breach contributes to hospitals placing less emphasis on breach reporting. HIMMS reports that 72% of hospitals who experienced a fraud-related breach believed that an incident results in no negative financial impact. Contrasting this belief, the study cites the Ponemon Institutes’s 2007 Cost of Data Breach Study as an average breach costing per record or million per incident. Darwin Professional Underwriters also report that a breach of 25,000 records can cost million.
Even with the legal requirements of HIPAA Data Breach Notification, Sarbanes-Oxley, and PCI DSS hospitals are falling through the “regulatory loopholes” of vague language that allow breaches to go unreported, the study says. For example, even though study respondents have a high awareness of HIPAA, the regulation does not provide specifics on security implementations — only that the facilities have established risk management processes.
According to the study, Hospital Data Breach does not focus on malicious breaches, but on inadvertent access by employees. A large portion of resources is dedicated to employee education and disciplinary action in order to mitigate for this risk. Unfortunately, these efforts do little to prevent malicious actions to steal patient data, such as stealing laptops and deliberate acts of data theft.
The responses suggest a largely reactive orientation to security and Ponemon Cost Of A Data Breach response planning and a troubling tendency to deal with situations as they arise rather than proactive and ongoing review and revision to security and breach response plans based on constantly changing environments, the study says. Most hospital action plan changes are prompted by organizational shifts or new regulations, not security breaches, the report states.
Even within Ponemon Cost Of A Data Breach organizations where breaches took place, respondents did not focus on changing their their security policies, but instead focused on pro actively monitoring compliance with those policies, the researchers comment.