Privacy advocates say they expected that healthcare organizations would have toughened their information security practices by now as a result of stronger federal privacy and security regulations enacted last year.
But protecting patient data is a low priority for hospitals, and they demonstrate little confidence in their ability to secure patient records, according to a survey report from Ponemon Institute, a privacy and information management researcher.
The passage of the HITECH Act in 2009 widened the scope of privacy and security protections under the Health Insurance Portability and Accountability Act (HIPAA) to reinforce safeguards for patient data by providers, plans and their business partners and increased fines for violations.
But HITECH is not taken seriously, according to the report released Nov. 9.
About 71 percent of respondents do not believe the HITECH Act regulations have significantly changed the management practices of patient records. The findings also indicate that there are a significant number of data breaches that go undetected, and therefore unreported.
Lax security is in place, with only 16 percent of healthcare organizations relying on security technologies to prevent and detect data breach incidents, according findings in the "Benchmark Study on Patient Privacy and Data Security."
As a result, patients are at risk for medical identity fraud and costing hospitals and other healthcare services companies millions in annual breach-related costs, said Larry Ponemon, chairman and founder of the Ponemon Institute.
"At this point one would hope to see that healthcare organizations have improved information security practices and come into compliance with HITECH, now that it's been more than one year since it was enacted. Instead we found enormous vulnerabilities," he said.
ID Experts, a data breach solutions provider, sponsored the research, for which 65 healthcare organizations, including integrated delivery systems and stand alone facilities, participated.
Among the findings of the report, 58 percent of the organizations responding said they have little or no confidence in their ability to appropriately secure patient records. According to the report, 71 percent said that healthcare organizations have inadequate resources, and 69 percent said insufficient policies and procedures were in place to prevent and quickly detect patient data loss.
The average organization had 2.4 data breach incidents over the past two years, the report noted. Major factors causing data breaches are unintentional employee action, lost or stolen computing devices and third-party error.
