An annual study on patient privacy and security marked improvements on the data breach front.
An annual study on patient privacy and security marked improvements on the data breach front.

An annual study revealed that data breaches at health care organizations are, on average, less costly and occurring less frequently than in the previous year.

On Wednesday, the “Fourth Annual Benchmark Study on Patient Privacy and Data Security” was released, and highlighted that the economic impact of data breaches was $2 million for health care entities, marking a nearly $400,000 decrease since last year's study.

In addition to the 17 percent decline in data breach-related costs, the study found that 38 percent of health care organizations had more than five breaches in a two-year period – accounting for a subtle drop in incidents.

Last year's benchmark survey showed that 45 percent of organizations experienced more than five breaches in the same window of time.

The 38-page study, which was conducted by the Ponemon Institute and sponsored by ID Experts, a Portland, Ore.-based data breach and fraud prevention firm, polled 91 health care organizations, which were largely compromised of hospitals and clinics that are part of a health care network.

All of the respondents, which were polled over a three-month period ending in January, are subject to the Health Insurance Portability and Accountability Act (HIPAA) as covered entities, the report said.

On Wednesday, Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazine.com in an interview that findings from this year's survey indicated improvements, though “modest,” for the health care industry.

“Things are getting better as far as dealing with data breaches, but I think organizations have a long way to travel before they are in the ‘good' category,” Ponemon said. “On the negative side, 38 percent of organizations say they have had more than five data breaches in a two-year period, which means it's still a common occurrence.”

Of note, the study also shed light on health care entities' lack of confidence in the security of health information exchanges (HIEs) – defined in the report as “the mobilization of healthcare information electronically across organizations within a region, community or hospital system."

Seventy-two percent of respondents said they were only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data shared through HIEs.

This year, only 32 percent of respondents said they were members of HIEs, while one-third said they do not plan to become a member.