In the survey of 65 health care organizations, conducted by the Ponemon Institute and sponsored by data breach solutions provider ID Experts, 60 percent of respondents said they have suffered more than two breaches in the past two years.
The top three causes of breaches were unintentional employee action, lost or stolen computing devices and third-party accidents. The average number of lost or stolen records per breach was 1,769.
The survey found that breaches have cost the U.S. health care system $12 billion over the past two years. The economic impact of a data breach was approximately $2 million per organization over a two-year period.
Moreover, federal regulations have not improved the safety of patient records, the survey found.
The Health Information Technology for Economic and Clinical Health Act, or HITECH Act, passed as part of the 2009 economic stimulus bill, is intended to strengthen the protection of identifiable health information by expanding the scope of the Health Insurance Portability and Accountability Act (HIPAA) regulations.
But the majority of survey respondents said they do not believe the new regulation has significantly changed the management practices of patient records.
The legislation, said to give "teeth" to the older HIPAA, allows state attorneys general to obtain statutory damages against noncompliant health care providers on behalf of state residents.
Doug Pollack, director of privacy and security at ID Experts, told SCMagazineUS.com on Tuesday that enforcement actions taken under the law thus far have been slow and mostly have affected health insurance companies, not health care organizations.
Consequently, protecting patient data is still not a priority for a majority of health care organizations, he said.
“Revenue trumps privacy – that's the way it is,” Pollack said. “There needs to be a handful of high-profile lawsuits or penalties that are assessed against health care providers for not being in compliance. One or two of these will cause executives at health care systems to relook at their priorities.”
In the survey, 67 percent of respondents said they have fewer than two staff members dedicated to data protection management.
Due to a lack of preparation and staffing, most health care organizations experience undetected breaches of patient data, the survey found.
“While we are seeing a lot of breaches being reported, there remain a lot that aren't reported because they go undetected,” Pollack said. “We are at a tip-of-the-iceberg situation where we aren't seeing the whole scope of the problem.”
Moreover, 58 percent of respondents said they have "little or no confidence" in their ability to appropriately secure patient records.
However, respondents are hopeful that the state of health care data security could improve with the adoption of electronic health records (EHR), the survey found. Fifty-six percent of respondents have either fully implemented or are in the process of implementing an EHR system.
Encouragingly, a majority of those who already have an EHR system say they believe it has made patient data more secure.
Organizations are optimistic that modern security architectures will be implemented as part of the adoption of EHR systems, Pollack said. But even so, he added, the move to digitized records creates new security concerns since it makes data more available to employees and more susceptible to cybercrime.