Breaches at Hospitals Are Rampant: Survey

42% have 10 or more incidents a year
Breaches at Hospitals Are Rampant: Survey
About 42 percent of hospitals have at least 10 information breaches a year, according to a new survey of 220 institutions. That's double the percentage in a similar survey conducted a year earlier.

The survey also found that 84 percent of U.S. hospitals have at least one data breach incident a year, up from 63 percent in the year-old study. The new survey of compliance officers at hospitals was conducted between March 30 and April 13.

The increase in incidents comes despite the HITECH Act's toughening of penalties for federal security and privacy violations and its requirement for reporting major breaches to federal authorities.

One key way to help prevent breaches and identity theft is to provide extensive staff training, says Steven Bearak, CEO of Identity Force. The Framingham, Mass.-based company conducted the e-mail survey in collaboration with the American Hospital Association, which transmitted it to all of its almost 5,000 members.

"The single most important thing is creating a breach-free culture," Bearak says. That involves conducting risk assessments, training staff on how to prevent breaches and tracking incidents.

Lack of training

The survey found that 38 percent of hospitals either do not have a training program in place on preventing misuse of identification or they have only trained a few employees.

Too many hospitals adopt a breach prevention policy and require employees to read it, but stop short of offering training, Bearak contends. "Relying on policies rather than training is a big problem," he says.

Only 16 percent of hospitals surveyed said they have a plan in breach notification plan in place so they can comply with the HITECH Act.

Although the Act requires business associates to report breaches to hospitals, 61 percent of hospitals surveyed said they do not yet have a formal process for verifying that business associates are ready to comply with the Act. Also, 36 percent said they are certain that some of their business associates are not in compliance.

"These new regulations are complex and confusing," Bearak says. "People are unsure about how they will be enforced." He predicts it could take many months for hospitals to assess risks, devise plans for managing the breach notification process and identify which staff members will investigate breaches.

Bearak urges hospitals to amend their contracts with business associates to spell out expectations for compliance with the HITECH breach notification rule. He points out that in addition to software companies, billing companies and health information exchanges, business associates can include transcription companies, document shredding firms, document imaging companies and other firms that have access to personal health information.

Red Flags rule

Although it's unclear whether the Federal Trade Commission will, once again, delay the June 1 target date for enforcing its Identity Theft Red Flags Rule, hospitals should nevertheless be working toward compliance, Bearak argues. The rule requires hospitals and other healthcare organizations that grant credit to their clients to have formal, written policies and procedures in place to spot the red flags that are signs of identity theft.

Among other survey findings:

  • 71 percent of hospitals investigate fewer than 50 cases of possible misuse of identity annually.
  • 56 percent believe the new healthcare reform law, designed to help provide insurance coverage to more Americans, will have no impact or will increase medical identity theft.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.