[author: Judy Selby]

The diagnosis is in, and its not good. Unless an aggressive treatment plan is put in place, the prognosis will be just as bleak.

On December 6, 2012, the Ponemon Institute issued its Third Annual Benchmark Study on Patient Privacy & Data Security. The key findings were that a shocking 94 percent of healthcare organizations in the study had at least one data breach in the past two years, and 45 percent report that they had more than five breaches. Ponemon estimated the average economic impact of the data breaches over the past two years to be $2.4 million for the healthcare organizations that participated in the study, and that the average annual cost to the healthcare industry could potentially reach almost $7 billion.

According to the study, contributing factors are the lack of sufficient technologies, funding and expertise to the address the issue. Further, although employee training is the most common activity to secure confidential data, its effectiveness was called into question. The primary cause of breaches in the study was lost or stolen computing devices, many times attributable to employee negligence. The BYOD (bring your own device) trend doesn’t appear to be helping, and criminal attacks increased from 20 percent in 2010 to 33 percent in 2012.

A total cure is unlikely. After all, even FBI director Robert Mueller has stated: “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.” But, on a positive note, the Ponemon Study found that 68 percent of organizations conduct and document post-breach risk assessments required by the HITECH Act, representing a 7 percent increase from 2011. And more organizations appear to be relying less on ad hoc processes and more on security policies and procedures, including manual procedures and security technologies.

When asked how the threat of an Office of Civil Rights HIPAA audit affected changes in their organizations, only 9 percent selected the purchase of cyber insurance as one of their top two changes. A similar lag in the purchase of cyber insurance was noted in the Chubb 2012 Public Company Risk Survey, which found that although 63 percent of decision makers in public companies identified cyber risk as their number one concern, 64 percent still do not purchase cyber insurance.

The advised treatment plan for healthcare organization and public companies alike should include continued employee training, establishment of comprehensive formal organizational policies and procedures, incorporation of security technologies, and the purchase of cyber insurance to assist with the response to and the mitigation of damages from a data breach.