Theft of computer equipment, staff and third-party negligence, and inside hackers caused the majority of patient data breaches.
A new study from the Healthcare Information and Management Systems Society reports that since January 2008, more than 110 healthcare organizations have reported the loss of sensitive patient data affecting over 5,306,000 individuals.
The findings, published in the 2010 HIMSS Analytics Report: Security of Patient Data, show that the vast majority of the 250 healthcare IT and security professionals surveyed have policies, procedures and technology in place at their organizations to prevent data theft. But changes made to protect medical records haven't curbed the number of reported breaches, which increased six percent since 2008.
HIMSS's Analytics unit did the study in partnership with Kroll Fraud Solutions, a provider of data protection and identity theft response services.
More than 40 percent of survey respondents reported that data loss incidents were caused by theft (stolen laptops, computers, or media/tapes. Another 27 percent were the result of loss or by staff or third parties; malicious insiders caused 20 percent; and 9 percent were caused by system hacks, Web exposure, and virus attacks.
The organizations in questions have security policies in place, said Brian Lapidus, Kroll's chief operating officer. But "the gap between security policy and actual behavioral change is still significant," he said.
The study's findings are similar to a 2008 report that also showed gap between policy and behavior, according to Lapidus. What's changing is the increasing shift toward digitized medical records.
The 2008 survey found that nearly all respondents had formal security policies and procedures, did background checks on potential hires and had IT security infrastructure in place such as firewalls and encrypted e-mails.
Yet there's room for improvement like background checks for third-party employees, Lapidus said. In fact, 60 percent of respondents said they require third-party vendors to provide proof of employee training, but only half require third-party vendors to provide proof of employee background checks.
More organizations are training staff in best practices and requiring IT managers to take responsibility for data protection. But there continues to be a lack of consensus on who should be the individual responsible for data security, the report said.
Too often a data loss occurs, and the question arises: "is this the CIO's problem, the risk manager's problem, or the chief privacy officer's problem? Whose problem is it? Who owns it?" Lapidus said. There needs to be collaboration across the silos, and organizations don't always think that way, he said, adding that healthcare organizations need to keep risk at the center of their focus.
Toward that effort, 87 percent of respondents said they have a specific policy in place to monitor electronic patient health information access and sharing. Eighty-six percent said regular audits are conducted of systems that generate, collect and transmit patient information.
Of the IT managers interviewed for the survey, slightly more than half (56 percent) work for a general medical/surgical hospital, and a third work at critical access hospitals.
Read our new report on how IP telephony is being used in healthcare settings. Download the report now (registration required).