Insufficient funding and lack of executive support are mainly responsible for security breaches involving patients’ electronic health records, a study found.
Executives at health-care companies and providers must improve cost assessments to include payments from class-action lawsuits, said the report released today in Washington by the nonprofit American National Standards Institute. Its members include Kaiser Permanente and data-security sellers such as Microsoft Corp. as well as the U.S. Defense Department and the Food and Drug Administration.
“No organization can afford to ignore the potential consequences of a data breach,” according to the report by the institute, which helps businesses and agencies set standards. “To successfully mitigate data breach threats and risks, leaders of organizations in the health-care sector must understand the evolving health care-ecosystem.”
Concerns that patients’ personal data may be vulnerable to theft may grow as President Barack Obama’s administration increases incentive payments to doctors and hospitals to spur adoption of digital health records. The payments established by the 2009 economic stimulus legislation may reach $27.4 billion.
The frequency of data breaches at health organizations jumped 32 percent in 2011 from a year earlier, costing the industry an estimated $6.5 billion, according to a Dec. 1 study by the Ponemon Institute LLC, a Traverse City, Michigan-based information-security research group.
Executives at health-care providers, pharmaceutical companies and medical-device makers surveyed in a Jan. 31 Bloomberg Government study said they would need to increase spending on cybersecurity to about $155 million a year on average from $23 million to stop 95 percent of hacking attacks. The analysis was based on interviews with 56 executives from 24 health-care organizations.
The American National Standards Institute study released today found that almost 60 percent of about 100 health-care executives surveyed cited lack of funding as the main reason for not securing digital records. Forty percent cited insufficient time, while 32 percent pointed to a lack of senior executive support.
The report offers chief financial officers and chief privacy officers a five-step model to make a business case to top executives for investing to protect health records. The model is intended to help organizations assess security risks, identify gaps in protecting data and calculate potential costs of a breach.
“What we want to demonstrate is the work that the private sector can do on a key national priority,” James McCabe, a senior director at the institute, said in an interview.
The institute conducted the study with the Internet Security Alliance, a Washington-based trade association, and the Santa Fe Group, a consulting firm in Santa Fe, New Mexico.
The U.S. Department of Health and Human Services began collecting data on breaches in August 2009. More than 385 incidents were reported affecting at least 10 million patients nationwide in the first two years, the most recent information available.